Today I was playing with some web security, and there was a surprise when I decided to test the Forget the Password link on Facebook.
I chose to send the password reset code to my Gmail address, and right after that Facebook pops up with another window with a message telling that I don't have to worry about my password reset code as I am already logged into my Gmail account.
How can they do that?
I am guessing that it has something to do with the OpenID protocol, but shouldn't I have to allow it in order for Facebook to interact with my Gmail account?
Best Answer
The OAuth tokens for Google are at https://accounts.google.com/b/0/IssuedAuthSubTokens (it's different from Linked Accounts).
When I tried it, Facebook created a popup with a OAuth prompt the first time and only briefly opened a blank popup on subsequent attempts. De-authorizing Facebook makes the prompts appear again.