I am currently implementing Facebook Login on my website for the first time and I have some doubts on how secure this is.

I already have a database with users and for each one of them, I store an email address, so I really need to check whether an email address I get from Facebook is already present in my database or not, otherwise I would have some problems with duplicate users. If a user is already present, I simply merge data from Facebook into the existing account on my website and I connect the user. Otherwise, I create an account for him.

But here is the thing:

1. Alice connects on my website using email address alice@users.com but Alice is not registered on Facebook with that email address

2. Bob registers on Facebook using Alice’s email address alice@users.com and verify the account using an SMS received on any phone number (I checked and this is possible, an account can be verified without clicking on the link received by email). I agree that Alice would be notified on her email address but still, this is possible.

3. Bob triggers login on my website using facebook connect, while being connected on Facebook using Alice’s email address.

4. Bob’s Facebook account is active and verified, and I have to assume he already has an account on my website as alice@users.com is already in my database, so I connect him instead of Alice and he can use my website on Alice’s account.

=> I tried this scenario on several websites and I could connect on someone else’s account (a fake Facebook account that I created 😉 ), as long as I knew the email address.

Does anyone have an idea on how to prevent these situations?