So, I just tested this; it's an access token that has no authorized scopes to access sensitive data. It literally only exposes public profile data, which basically just consists of name, picture info, and internal Facebook user ID -- the default public profile info listed in the developer docs.<p>Is it a security flaw? Absolutely. Is Facebook still terrible? Of course.<p>But this article is, frankly, egregiously inaccurate in its claims on the severity of the issue.