Facebook Has Been Asking for Email Passwords to Verify New Accounts

Facebook Has Been Asking for Email Passwords to Verify New Accounts

You would think that after all its recent privacy missteps, Facebook would exercise a little more caution when it implements new features. Alas, this is Facebook, so it’s still blundering from one crisis to the next. Its latest ill-conceived scheme involves asking users to hand over their email passwords. This is basically indistinguishable from a phishing attack.

The email chicanery happens when new users sign up for Facebook in a way that looks “suspicious” to the site. The Daily Beast investigated this scenario by signing up from a VPN routed through Romania, finding that Facebook does indeed ask users to input their email password to verify their account.

It’s been drilled into every internet user for years that you don’t ever give your passwords to a third-party in this manner — not even to a site that you trust. Let’s ignore for a moment that Facebook has done little to earn anyone’s trust. Even making people think this is a normal practice sets them up to get hit by phishing attacks. Your email account is also a particularly sensitive portal into your online life with banking details, personal communication, and the ability to reset passwords on other online accounts.

According to Facebook, this “feature” is there to help users with suspicious sign-ins verify their accounts. It only appears for accounts connected to emails without OAuth, an open standard that allows access without sharing passwords. Although, Gmail recently imposed limits on third-party account access, so it’s unclear if Facebook could get what it needs from Google’s platform with a simple OAuth ping.

Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l

— e-sushi (@originalesushi) March 31, 2019

Facebook also says there are other options to verify these accounts. However, those options are hidden behind the “Need help?” link, which is a counterintuitive place to have additional verification methods. For whatever reason, Facebook is pushing the shadiest possible method of confirming these accounts. One clue comes in the next dialog after providing the password. The site pops up a notification that it’s “importing contacts” from the email account without asking permission. It’s unclear if this contact data actually shows up in Facebook, but it could be fed into Facebook’s ad servers for all we know.

Facebook says the email logins are harmless. But do you really trust Facebook to handle your passwords with care and discretion? This is the company that recently admitted it stored passwords in plain text for years before someone realized that might be a bad idea. To its credit, Facebook has confirmed it will stop asking for email passwords in this manner.

Continue reading

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

Microsoft Now Offers the Option to (Mostly) Ditch Your Password
Microsoft Now Offers the Option to (Mostly) Ditch Your Password

Microsoft wants to ditch passwords and it's making the feature widely available on Windows for the first time.

Microsoft, Apple, And Google Join Forces to Kill The Password
Microsoft, Apple, And Google Join Forces to Kill The Password

On World Password Day the world's three largest tech firms have announced an alliance to banish passwords to the ash heap of history.

Netflix Ads and Password Sharing Fees Could Arrive This Year
Netflix Ads and Password Sharing Fees Could Arrive This Year

In a notice sent to employees, Netflix management said they were aiming to have an ad-supported tier ready for sign-ups by the fourth quarter of 2022.