Facebook Has Been Asking for Email Passwords to Verify New Accounts
You would think that after all its recent privacy missteps, Facebook would exercise a little more caution when it implements new features. Alas, this is Facebook, so it’s still blundering from one crisis to the next. Its latest ill-conceived scheme involves asking users to hand over their email passwords. This is basically indistinguishable from a phishing attack.
The email chicanery happens when new users sign up for Facebook in a way that looks “suspicious” to the site. The Daily Beast investigated this scenario by signing up from a VPN routed through Romania, finding that Facebook does indeed ask users to input their email password to verify their account.
It’s been drilled into every internet user for years that you don’t ever give your passwords to a third-party in this manner — not even to a site that you trust. Let’s ignore for a moment that Facebook has done little to earn anyone’s trust. Even making people think this is a normal practice sets them up to get hit by phishing attacks. Your email account is also a particularly sensitive portal into your online life with banking details, personal communication, and the ability to reset passwords on other online accounts.
According to Facebook, this “feature” is there to help users with suspicious sign-ins verify their accounts. It only appears for accounts connected to emails without OAuth, an open standard that allows access without sharing passwords. Although, Gmail recently imposed limits on third-party account access, so it’s unclear if Facebook could get what it needs from Google’s platform with a simple OAuth ping.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
Facebook also says there are other options to verify these accounts. However, those options are hidden behind the “Need help?” link, which is a counterintuitive place to have additional verification methods. For whatever reason, Facebook is pushing the shadiest possible method of confirming these accounts. One clue comes in the next dialog after providing the password. The site pops up a notification that it’s “importing contacts” from the email account without asking permission. It’s unclear if this contact data actually shows up in Facebook, but it could be fed into Facebook’s ad servers for all we know.
Facebook says the email logins are harmless. But do you really trust Facebook to handle your passwords with care and discretion? This is the company that recently admitted it stored passwords in plain text for years before someone realized that might be a bad idea. To its credit, Facebook has confirmed it will stop asking for email passwords in this manner.
Continue reading
Apple to Allow 50 Percent App Subscription Price Increases Without Asking Permission
Apple is making a big change to its subscription management policies that will require users to pay more attention to notifications of price increases.
Report: TSMC’s Biggest Customers Are Asking to Reduce Wafer Orders
TSMC is reported to be playing a bit of hardball with Nvidia over its future orders for 5nm and below wafer capacity.
Tesla Is Asking Customers Where They Want New Charging Stations
With Tesla opening its chargers to all EVs by the end of the year, this will benefit more than just Tesla drivers.
iOS 13.2 Effectively Breaks Multi-Tasking, Kills Background Tasks
Apple has a major problem with iOS 13.2 — it's closing apps so quickly, multi-tasking is effectively broken.