Your mistake is using "Log in with Facebook" on a mobile device.
Since neither iOS nor Android have any kind of trusted UI, there is no way you can be sure if you are logging into Facebook on an app, or just giving that app your credentials for them to do as they please.
Until iOS or Android get trusted UI for these usecases, I suggest using browsers on windows/Mac/Linux where you can see the in the address bar which company you are giving credentials to, and can't as easily be faked.
If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.
> If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.
I might be wrong about this as I've not used Facebook for many years now, but doesn't Facebook require a phone number for new accounts nowadays, and requires you to use your real name as well?
It's actually even nastier than that. If you fail their automated checks for fake accounts, they'll lock your account and require you to submit a photo of your face and ID card.
No I have an older relative who creates a new account every other week for whatever reason.
Think of how many accounts are created for games reasons. Some games require friends taking action to progress. Some allow friends to send prizes like lives/money/resource.
> No I have an older relative who creates a new account every other week for whatever reason.
Could be like my grandma who would occasionally manually log out of the app, but then the next time she loaded the app, rather than actually logging in again, she'd create a new account because that's what she did the first time she loaded the app and thought she had to do that every time.
I don't feel comfortable tying any two logins together for any site, regardless of mobile vs. desktop. Choosing to log into any site using facebook, google, etc. is setting up for trouble. I much prefer a strong password manager and separate logins for everything.
It's possible to do "trusted UI" on iOS/Android by opening a browser window that shows you're actually logging into facebook-dot-com. That still wouldn't prevent these scams from working because users don't necessarily know how to tell the difference between "trusted UI" and "scam UI".
If you open a browser window, there is going to be some things that can't be faked 100% accurately, e.g. on iOS there will be a link back to the app at the top left, there is going to be an animation, and so on.
It could be faked 95% accurately, but that's moot, because like I said, the user hasn't necessarily learned what "trusted UI" is in the first place.
While you are absolutely right, I want to highlight that this was done in a quite sophisticated way. It's actually the real login page of Facebook in a webview. I have 2FA on all my accounts including FB, so it looked very legit. Once you have logged in, they seem to grep the token and close the webview.
If your app has a webview in it, on both iOS and Android, you have full access to run script inside that webview and take/set cookies for any domain. You can easily take the auth cookie.
Some Google auth cookies can only be used on the same tls session that created them[1]. That means the TLS session resumption information (which can be tied to hardware platform features like the TPM) is required to make use of a stolen auth cookie. Unfortunately while that approach has big security benefits, it's pretty anti-user-privacy.
iOS has trusted UI via "double-tap-side-hardware-power-button". So it's a trusted trigger, and a presumably native UI.
I've been very impressed by eBay/PayPal providing "very good" almost native-feeling payment integration (swipe-to-pay, UI coming up from the bottom of the screen), so it may not last forever, but interesting to hear of the depth of scamming possible on phone UI's (and probably desktop UI's too).
Since neither iOS nor Android have any kind of trusted UI, there is no way you can be sure if you are logging into Facebook on an app, or just giving that app your credentials for them to do as they please.
Until iOS or Android get trusted UI for these usecases, I suggest using browsers on windows/Mac/Linux where you can see the in the address bar which company you are giving credentials to, and can't as easily be faked.
If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.