Facebook Has Been Asking for Email Passwords to Verify New Accounts

Facebook Has Been Asking for Email Passwords to Verify New Accounts

You would think that after all its recent privacy missteps, Facebook would exercise a little more caution when it implements new features. Alas, this is Facebook, so it’s still blundering from one crisis to the next. Its latest ill-conceived scheme involves asking users to hand over their email passwords. This is basically indistinguishable from a phishing attack.

The email chicanery happens when new users sign up for Facebook in a way that looks “suspicious” to the site. The Daily Beast investigated this scenario by signing up from a VPN routed through Romania, finding that Facebook does indeed ask users to input their email password to verify their account.

It’s been drilled into every internet user for years that you don’t ever give your passwords to a third-party in this manner — not even to a site that you trust. Let’s ignore for a moment that Facebook has done little to earn anyone’s trust. Even making people think this is a normal practice sets them up to get hit by phishing attacks. Your email account is also a particularly sensitive portal into your online life with banking details, personal communication, and the ability to reset passwords on other online accounts.

According to Facebook, this “feature” is there to help users with suspicious sign-ins verify their accounts. It only appears for accounts connected to emails without OAuth, an open standard that allows access without sharing passwords. Although, Gmail recently imposed limits on third-party account access, so it’s unclear if Facebook could get what it needs from Google’s platform with a simple OAuth ping.

Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l

— e-sushi (@originalesushi) March 31, 2019

Facebook also says there are other options to verify these accounts. However, those options are hidden behind the “Need help?” link, which is a counterintuitive place to have additional verification methods. For whatever reason, Facebook is pushing the shadiest possible method of confirming these accounts. One clue comes in the next dialog after providing the password. The site pops up a notification that it’s “importing contacts” from the email account without asking permission. It’s unclear if this contact data actually shows up in Facebook, but it could be fed into Facebook’s ad servers for all we know.

Facebook says the email logins are harmless. But do you really trust Facebook to handle your passwords with care and discretion? This is the company that recently admitted it stored passwords in plain text for years before someone realized that might be a bad idea. To its credit, Facebook has confirmed it will stop asking for email passwords in this manner.

Continue reading

Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon

Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.

Verizon’s New 4G Network Is Faster Than Its 5G
Verizon’s New 4G Network Is Faster Than Its 5G

After some recent upgrades, Verizon's LTE is now faster than its 5G.

Google Will Start Enabling 2-Step Verification For Everyone Soon
Google Will Start Enabling 2-Step Verification For Everyone Soon

After previously expressing its intention to transition all accounts to 2SV, Google says it's going to start doing that in earnest later this year. That could mean 150 million new accounts will be protected with 2SV.

Valve’s New Deck Verified Program Will Tell Gamers Which Titles Play Well on Steam Deck
Valve’s New Deck Verified Program Will Tell Gamers Which Titles Play Well on Steam Deck

Reviewed games will earn a color-coded badge indicating their compatibility level with the upcoming Steam Deck.