Facebook has several security measures to protect users’ account, such as a user “” is granted to the Facebook application (like Candy Crush Saga, Lexulous Word Game) When the user authorizes it, it provides temporary and secure access to Facebook APIs. Approved Facebook apps can publish or delete content on your behalf using the access tokens, rather than your Facebook password. The vulnerability is not new, it has already been known for a year, but Facebook is still vulnerable to hackers and surveillance agencies like the NSA.
Source: https://thehackernews.com/2014/03/hacking-facebook-user-access-token-with.html