Bartek Nowotarski TL;DR It was possible to eavesdrop a single request data, including cookies and fb_dtsg (CSRF token), during installation of any app in mobile version of Facebook App Center despite the fact that the user had "Secure Browsing" mode enabled in their Facebook settings. The bug is now fixed but the lack of HTTP Strict Transport Security header on Mobile Facebook makes it possible t