tag:blogger.com,1999:blog-1743291713222611019.post6382800219596103285..comments2023-10-29T01:48:31.408-07:00Comments on Jamal B's Blog - Infosec Mindstorm: new security hole in facebookJamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-1743291713222611019.post-80646899646371494542011-09-29T14:42:49.096-07:002011-09-29T14:42:49.096-07:00Hello. I am an engineer at Facebook. We invalidate...Hello. I am an engineer at Facebook. We invalidate all tokens for the app (unless you have granted the app offline_access permission) once you explicitly log out of facebook - i.e. by clicking 'Log Out' within Facebook. I just verified this behavior myself.<br /><br />I think actions in the game that did not require the game to talk to facebook for obtaining any user data can continue to work as long as you have a page open for the game. However rest assured that any API calls the game makes to facebook using the access token it obtained when you started the game will fail once you explicitly log out. in other words, there is no user data that the app can obtain from facebook once you log out (assuming you havent granted the app offline_access permission)<br /><br />Please let me know if you have any further questions/concerns.T R Vishwanathhttps://www.blogger.com/profile/12850289567843340562noreply@blogger.com