/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
/dq/media/media_files/2025/08/26/dq-728x90-banner-with-offer-2025-08-26-23-31-50.jpg)
Follow Us/dq/media/post_banners/wp-content/uploads/2015/06/Facebook-hack.jpg)
/dq/media/post_attachments/wp-content/uploads/2015/06/Mohit-Bagga-and-Tajinder-Pal-Singh-Chahal.jpg "Mohit Bagga and Tajinder Pal Singh Chahal")
Mohit Bagga, Co-Founder & CTO, Codebibber and Tajinder Pal Singh Chahal, describe the discovery of a major security breach in the Facebook login process, where one single access token received from Facebook for a particular app can be used to access the entire account history of a user on a series of big players like Zomato, Foodpanda or Snapdeal
Here is Mohit and Tajinder Pal Singh Chahal in their own words:
While researching for our new venture TOTUM, we hacked around Facebook login, looking for alternate login methods. This is when we discovered a major security breach, which can compromise your data across multiple platforms.
In simple words, whenever you choose the “Login Through Facebook” option on any website or mobile app, you expose every other account where you ‘logged in through Facebook’ including Uber, Snapdeal, Zomato and Foodpanda among the rest.
To understand this, let us first look at how Facebook Login works:
/dq/media/post_attachments/wp-content/uploads/2015/06/Facebook-Login-process.jpg "Facebook Login process")
The security breach
Let’s say you login to app X via Facebook. X will receive an access token from Facebook and will send it to X’s server and save it.
But now X can use this same access token to login to any and every other platform impersonating you and access your data ranging from your recent orders on Zomato or your purchase history from Snapdeal to getting access to your private messages and the list goes on.
We tested out this security breach on our TOTUM app’s test run and to our amazement, by using a single access token that we received from Facebook, we were able to access the entire account history of that user on a series of big players like Zomato, Foodpanda, Snapdeal etc.
/dq/media/post_attachments/wp-content/uploads/2015/06/Facebook-Login-Token-compromised1.jpg "Facebook Login Token compromised")
Our evil plan
We initially thought of creating a chrome plugin that can inspect the web pages before viewing and blur the text where GOT (Game of Thrones) related information is published, so that you do not read spoilers. Our guess was such a plugin would have received a pretty generous number of user downloads. But this plugin would have been infected with a virus that reads your Facebook access token and scraps user data from different target sites. This would have given us a huge user account base to begin our exploits.
But the genius yet kind souls that we are, we decided instead to post about this breach and alert the unsuspecting net savvy souls who are ever so eager to ‘Login through Facebook’ and save the extra 2 minutes, about the consequences of this simple step.
Food for thought
Would you want every online account you ever create to be available for misuse by any random app? Isn’t it scary to think anyone can book rides using your Uber account and pay using your PayTM wallet?
Facebook has access to all the information about every platform which provides the ‘Login Through Facebook’ option. They can scrap from all the platforms anytime they want.
Until this issue is resolved, your online data is all up for grabs.