Unable to login using social login keys

[justinlusg]

I've successfully saved the social login keys for Facebook. However, everytime when I try to login this page will always appear after facebook Authentication. Everytime I login with the same facebook account, system will always prompt me for my email, and first name and last name.

Possible security flaw: I can fill in any email addresses in the system after i login with my Facebook account by entering the email address of the user in the email field.

[anandpdoshi]

@justinlusg thanks for reporting this

[anandpdoshi]

@justinlusg are you using the latest version? I am unable to reproduce this error in my local. Could also be due to some missing info from your profile or you might have denied permissions.

[justinlusg]

@anandpdoshi yes, it is the latest version.. you can try it over here..

http://erpdemo.agtech.com.sg Username: administrator Password: demo

I've setup a demo site and tested it and it has the same problem.

The "One Last Step" will always appear no matter how many times I've login using Facebook, and during the "One Last Step", I am able to fill up any email address and gain access to that user (security flaw).

[fderyckel]

Same thing for me.
It is just with Facebook login. It works fine with Google.

[fderyckel]

For some reason, I can see that user/customer created by a Google Login works fine

But it stays blank with Facebook.

[justinlusg]

@fderyckel I've not tried personally with Google, will try it.

@anandpdoshi might be a possible security flaw, which is critical to be resolve soon.

[justinlusg]

After the latest update, it third party authentication disappeared under the user account. The Facebook authentication still does not work as well. The security flaw however is still there, I can use Facebook to authenticate and get into anybody's account without their permission/password.

[anandpdoshi]

@justinlusg fixed. Facebook had changed its api