Login/Register
Is it possible to check if an email is confirmed on Facebook?
Asked Answered
facebooksecurityfacebook-graph-apisingle-sign-onfacebook-authentication
O

2

75

Update

This was reported to Facebook via https://www.facebook.com/whitehat/report/ on Dec 16th 2013 and Facebook responded on Dec 17th that the bug has long since been fixed.

I have retested this with my Facebook account (that I still haven't verified the email address on) and when using the Grap API Explorer tool it is not possible to get the email address of this account using the Graph API or using a FQL query.

Conclusion: The email address you get from Facebook using the Graph API or a FQL query is a verified email. If an account hasn't verified it's email yet it's not possible to get it.

Original Post

I am making a web app with SSO that is offering the user to sign in with either Google or Facebook. I would like users who have both types of accounts to show up as the same user in my system regardless of which identity they log in with. To achieve this I'm thinking of using the email address as the identifier to know if I should create a new account or if the user already exists.

To not introduce any security problems I must know that the email address is verified and actually belongs to the user. For Google the userinfo API can tell me if an email is verified or not, so there's no problem here. But I can not find anything like this in the Facebook Graph API.

Is it possible to know if an email address is confirmed on Facebook?

I know that there is a verified field, but that only tells if the account is verified and not the email address.

At first it looked like you are only able to use the Graph API for accounts where the email address has been confirmed. If the address wasn't confirmed I just got an error telling me that I had to confirm the email address first before being able to sign in to any third party site.

However this does not seem to be true for all accounts. In some cases it's possible to get accesses to all parts of Facebook even if you don't have a confirmed email address. One example of this is when you sign up with a @myopera.com mail address.

When you sign up to Facebook with a @myopera.com email address you get a message that your account has been temporarily locked as soon as you submit the sign up form. To continue you need to provide your phone number to verify your account and to "keep Facebook safe and free from spam" (sorry for the Swedish in the screenshot, this was before I could get into Facebook and change language to English):

Security check during sign up

When you provide your phone number you are logged in and Facebook doesn't nag you any further about that you have to verify your email address.

The only place where you can see that your email address is not yet verified is on the settings page:

Facebook settings view with unconfirmed email address

The Mobile Settings that is usually not accessible before you have verified your email address is available and lists the phone number entered during sign up:

Facebook mobile settings view with unconfirmed email address

In addition to this it is also possible to log in to third party sites with an unconfirmed email address:

Logging in to graph API explorer with an unconfirmed email address

When I connect to the graph api with this user I can get the unconfirmed email address and the verified field returns true as expected since I have verified the account by adding a phone number. So obviously I can't trust that the email address I get from Facebook really belongs to the user that has the Facebook account.

Is there any other way of knowing if the email address is verified or not or do I have to verify it myself if I want to use it for identifying the user?

Osteomalacia answered 11/1, 2013 at 14:48 Comment(10)
If it's only for myopera.com than we can treat these as not-verified even if facebook graph say they're "verified": "true". The question is are there any other exemptions like myopera.com? Also, it makes one wonder why facebook treat them differently?Jerrelljerri
I am in a similar positions where I want to "merge" various accounts. @nibarius, did you manage to come up with a solution? It seems that the only related field from the Graph API is indeed the "verified" property but this does NOT seem to be what's needed here as it actually means something else.Trierarch
@guya, sure it would be possible to treat all myopera.com addresses as not-verified. But as you say it's impossible to know if the same is true for other addresses.Osteomalacia
@Ion, no unfortunately I haven't found any solution for this problem.Osteomalacia
@nibarius, the temp solution for me was to allow merging with FB only for already logged in users. After that they can use the FB login option.Trierarch
I've reported this security hole to facebook.com/whitehat/report If you need to test again, try with a test account at facebook.com/whitehat/accountsStutzman
@CoolAJ86, thanks it didn't strike me that this might actually be a security hole.Osteomalacia
I'm not saying I don't trust you, @nibarius, but it would be great if there was an official take on this. I searched and searched Facebook's documentation and found nothing regarding a verified email. This is as close as I can get to the answer: developers.facebook.com/docs/plugins/registration/#named_fieldsCivies
@Ashitaka, yes that would indeed be very nice if it was possible to get an public official answer on it.Osteomalacia
I just tested it again myself: I first tried to change the email address of my existing Facebook account, but could not select the new address as my primary email without validating it first. I also tried creating a new Facebook account with an unverified email address, and I could not "log in with Facebook" at all before the email was validated. So yes, the Facebook email address can now be trusted as a verified email address.Feast
I
10

I was looking for an official Facebook statement regarding this issue and finally i found this: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1, which clearly says that developer should not rely on the fact that email address is verified.

Indeclinable answered 9/5, 2019 at 9:10 Comment(4)
Are we looking at the same page? It clearly says you can rely on email address being verified. "After a successful login using Facebook, you will have the person's email address, Facebook ID, and access token. Your app should search for an existing account that has been created with that same email address. If one exists, you should merge the two accounts and add the Facebook info to the existing account - as recommended above."Grapher
Please check Adding manual login info to a Facebook Login created account > Ensure the Facebook Login email address is verified, then revalidate Your comment.Indeclinable
@RokKralj The answer is further down the page: "If you use an email address as the unique credential which identifies each account, your app should verify that the email address associated with the person's Facebook account (and obtained during Facebook Login) is valid. You can do this by creating code in your app to send a verification email to the address obtained after Facebook Login (you will probably need to have this step as part of your regular login system anyway)."Legitimate
@RiZiT You and Rok Kralj are quoting from two use cases, differing by the order in which the login methods are created. It is confusing that one case mentions verifying the email address and the other doesn't. But there is no contradiction if the user is adding a manual login to a Facebook one while not logged in. You would have to verify even if Facebook already has. If the manual login came first, as in the use case Rok quoted, you would not have to verify the address if Facebook already has. Omitting the instruction for that case seems to confirm that Facebook has verified the address.Mistrust
T
1

I've never used it, but you may be able to check with a FQL query of the user.email_hashes: http://developers.facebook.com/docs/reference/fql/user

Trotskyite answered 17/5, 2013 at 5:56 Comment(1)
Based on that documentation it looks promising. However after some testing it looks like it can't be used after all. As mentioned in the following stackoverflow question it looks like you have to register the emails you want to get hashes for yourself before user.email_hashes returns anything: #7620814Osteomalacia

© 2022 - 2025 — McMap. All rights reserved.