Followed the link and the read me is bit spare on details. For the less technical this still would require the phishee to manually enter credentials which then can be relayed to the attacker. Correct? The article mentions this happened while the author was asleep — any thoughts on how that would work?
One thing that can happen is you get enduring credentials from the OTP sign-in, and they last despite other credentials simultaneously existing elsewhere.
I only use Facebook trapped inside Facebook Container in one Firefox on one computer. But my understanding is that it's possible to sign in to Facebook from say a phone and a laptop at the same time, so the bad guys could get you to give them working credentials one day and persist those until you're asleep before using them. If you went to Facebook's security settings "Where you're logged in" and it lists two logins, one in "Paris" while you are in New York, you might realise there's a problem and force them out. But most people likely never look at that, why would they?
