Getting information about facebook and other accounts a user is logged into

[CrimpJiggler]

I read a security article a while ago that claimed it is dangerous to browse the web while you are logged into gmail, facebook, whatever because any website can get the profile ID of these accounts if you are logged into them. That sounds like bs to me, but the article seemed relatively legitimate so I'm wondering about this. Can you, with PHP or javascript get the profile ID of social media/whatever accounts a user is logged into?

[QuickOldCar]

A website owner can use the api's from other sites and then add a script their own sites to detect if logged in or not.

What that api reveals about a user could vary.

 

Website owner would apply and get an app id.

 

For facebook they have a login app.

https://developers.facebook.com/products/login/

 

And in more detail

https://developers.facebook.com/products/login/

 

Now what's interesting here is just intended to detect if a person logged in or not and give them a login button.

There is additionally the api for doing logins another site which sends a token,email and users id.

FB.api('/me', function(response) {
    console.log(JSON.stringify(response));
});

Which returns

{
  "id":"101540562372987329832845483",
  "email":"[email protected]",
  "first_name":"Bob",
  [ ... ]
}

I would guess that facebook has some security to not let anyone know your id unless you use that site to log in and they happen to use either a facebook login button or some custom one of theirs that is really facebook, Not to mention if you used same login credentials as facebook account.

 

I should hope facebook has some same domain policies for iframes.

 

Anything is possible but it shouldn't be possible to me unless you actually logged in through their system, not merely visiting.