Is it possible to check if an email is confirmed on Facebook?

Update

This was reported to Facebook via https://www.facebook.com/whitehat/report/ on Dec 16th 2013 and Facebook responded on Dec 17th that the bug has long since been fixed.

I have retested this with my Facebook account (that I still haven't verified the email address on) and when using the Grap API Explorer tool it is not possible to get the email address of this account using the Graph API or using a FQL query.

Conclusion: The email address you get from Facebook using the Graph API or a FQL query is a verified email. If an account hasn't verified it's email yet it's not possible to get it.

Original Post

I am making a web app with SSO that is offering the user to sign in with either Google or Facebook. I would like users who have both types of accounts to show up as the same user in my system regardless of which identity they log in with. To achieve this I'm thinking of using the email address as the identifier to know if I should create a new account or if the user already exists.

To not introduce any security problems I must know that the email address is verified and actually belongs to the user. For Google the userinfo API can tell me if an email is verified or not, so there's no problem here. But I can not find anything like this in the Facebook Graph API.

Is it possible to know if an email address is confirmed on Facebook?

I know that there is a verified field, but that only tells if the account is verified and not the email address.

At first it looked like you are only able to use the Graph API for accounts where the email address has been confirmed. If the address wasn't confirmed I just got an error telling me that I had to confirm the email address first before being able to sign in to any third party site.

However this does not seem to be true for all accounts. In some cases it's possible to get accesses to all parts of Facebook even if you don't have a confirmed email address. One example of this is when you sign up with a @myopera.com mail address.

When you sign up to Facebook with a @myopera.com email address you get a message that your account has been temporarily locked as soon as you submit the sign up form. To continue you need to provide your phone number to verify your account and to "keep Facebook safe and free from spam" (sorry for the Swedish in the screenshot, this was before I could get into Facebook and change language to English):

When you provide your phone number you are logged in and Facebook doesn't nag you any further about that you have to verify your email address.

The only place where you can see that your email address is not yet verified is on the settings page:

The Mobile Settings that is usually not accessible before you have verified your email address is available and lists the phone number entered during sign up:

In addition to this it is also possible to log in to third party sites with an unconfirmed email address:

When I connect to the graph api with this user I can get the unconfirmed email address and the verified field returns true as expected since I have verified the account by adding a phone number. So obviously I can't trust that the email address I get from Facebook really belongs to the user that has the Facebook account.

Is there any other way of knowing if the email address is verified or not or do I have to verify it myself if I want to use it for identifying the user?

I was looking for an official Facebook statement regarding this issue and finally i found this: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1, which clearly says that developer should not rely on the fact that email address is verified.

I've never used it, but you may be able to check with a FQL query of the user.email_hashes: http://developers.facebook.com/docs/reference/fql/user