Today I was playing with some web security, and there was a surprise when I decided to test the Forget the Password link on Facebook.

I chose to send the password reset code to my Gmail address, and right after that Facebook pops up with another window with a message telling that I don't have to worry about my password reset code as I am already logged into my Gmail account.

How can they do that?

I am guessing that it has something to do with the OpenID protocol, but shouldn't I have to allow it in order for Facebook to interact with my Gmail account?