A relatively unknown (until now, that is) hacker named Nir Goldshlager found and disclosed a huge security flaw in the OAuth system that Facebook uses to allow devs to interact with accounts when users click on the little “Allow” button for various apps and services. The hack gave Goldshlager full access to any account on the site. Terrifying.

Fortunately, it’s already been patched. But Goldshlager documented what he did here.