It isn't an oversight by Facebook - it is by design. Facebook was a part of the decision to use Facebook login credentials to log into Spotify. Additionally, Facebook does not list access to your friend list (and your friend's email addresses) in their list of permissions. Rather, those details are implicit in using Facebook to authenticate.

As an example, using FB to authenticate with Quora does not list access to friends list in the permissions but Quora will send an email to every friend of yours already on Quora to notify them that you joined.

Another issue with this is that if you have never given any Facebook permission to Blizzard, but happen to use the same email address as listed on your Facebook account then Blizzard will attach your real name to your account without your permission.

Facebook does not give implicit permission to access "your friends' email addresses." In fact, they don't grant that permission under any circumstance.

What I believe the OP was saying is that they grant access to the friends list, and that Quora already has many of their e-mail addresses. Thus, they indirectly get access to your friends' e-mail addresses.

Is this true? I hadn't seen this. I've found Facebook specifically don't let you access the emails of a user's friends. Quora could easily receive higher access of course, but this still seems like it shouldn't be possible.

But Quora gets your email address and your friend list, and then when your friend joins they get your friend's email address, so they can email you both about each other.

Oh ok, so the issue is that the person who joins last has information published about them that they may not want published. I can kinda see that but it's not something that would bother me personally. An app like Grindr yeah, but not Quora.

The issue here isn't with Facebook privacy. If I guess (or you tell me) your bank's online login information, does that give me the right to log-in to your account and start mucking with things? Facebook has an API to access your account through OAuth and Graph; Spotify should never login on your behalf.

That would be illegal (highly illegal actually). It should also be illegal to do what Spotify is doing, but I'll go out on a limb and say that they won't be held accountable. People have gone to jail for incrementing IDs in GET variables, accessing Facebook accounts without permission and installing apps goes way way beyond that.

I agree that it seems illegal.

We have thousands of usernames and passwords for users on our services. If we then tried using these to log into our users facebook accounts in order to install an app of ours we'd be rightly prosecuted. Yet this is exactly what Spotify are doing.

No, it's not.

Ok, if we added some text saying 'Login with Facebook' to our login form and then did the above it would be exactly what Spotify are doing. And still illegal.

Spotify aren't "logging into the users account" as suggested, the user is signing in with their fb details and by adding an app to their account fb reactivates their account. The issue here is only one of poor communication, not of illegal account access. Saying otherwise is disingenuous.

Spotify uses a private Facebook API that FB gave them access too.

We kind of have a different problem. Clients all want it in the apps we make, but analytics show that very few users use those features. Which sucks because it takes forever to implement all that stuff -_-

Do you know of any 3rd party data on that (perhaps a blog post or published data)? Intuitively I believe what you are saying, but I really want to show someone else.