- Inside the pornographic video game that took Kickstarter by storm 3 Months Ago
- Why everyone wants to debate AOC, and no one wants to debate Ilhan Omar 3 Months Ago
- How to watch the Trvl Channel online for free Today 5:30 AM
- Are we going to get a ‘Community’ movie on Netflix? Sunday 2:46 PM
- Social networking site Ravelry bans all posts that are supportive of Trump and his administration Sunday 2:07 PM
- YouTube is testing hiding its comments section Sunday 1:23 PM
- Think you have what it takes to be Beyoncé’s assistant for the day? Sunday 1:02 PM
- Facebook co-founder warns against Libra, the company’s new cryptocurrency Sunday 12:04 PM
- Missing YouTuber Etika’s belongings found alongside bridge Sunday 9:16 AM
- What is #sayfie and why do Floridians use it so much? Sunday 6:30 AM
- How to watch WWE Stomping Grounds for free Sunday 6:00 AM
- Trump tweets nightmarish video of himself being president ‘4EVA’ Saturday 3:15 PM
- The internet cannot believe how this zoo conducts its ‘escaped lion drill’ Saturday 1:39 PM
- Spotify wants to take back money from ‘overpaid’ songwriters, publishers Saturday 12:35 PM
- Mac from ‘It’s Always Sunny in Philadelphia’ finally got to play catch with Chase Utley Saturday 11:23 AM
Pexels (Public Domain)
Social media site plans to discontinue practice after outcry.
Facebook has been asking some users to give up the password to their private email accounts while signing up for the social media site, the Daily Beast reports.
The discovery was first revealed by a Twitter user earlier this week, who accused Facebook of “practically fishing for passwords you are not supposed to know!”
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
The email password request is reportedly made when new users engage in what Facebook believes could be suspicious behavior, such as registering while connected through a VPN or using certain email domains.
By providing the password to the email account being used to sign up, Facebook says it can confirm whether a new user is legitimate. Such practices, however, are completely ill-advised, as they mirror what would happen during a phishing attack, potentially leading users to believe such requests are normal.
Speaking with Business Insider, Bennett Cyphers, a security researcher with the Electronic Frontier Foundation, described Facebook’s actions as an “absurd overreach.”
“Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it,” Cyphers said. “No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does. This goes against all conventional security wisdom, basic decency, and common sense.”
To make matters worse, users who give up their private email password are then informed that their email contacts have been “imported” to Facebook, despite the social media company failing to ask for permission.
In a statement to the Daily Beast, Facebook defended the practice by arguing that it did not store the passwords.
“A very small group of people have the option of entering their email password to verify their account when they sign up for Facebook for the first time,” the spokesperson said.
And although Facebook says emails can be verified by other means, doing so requires users to click the vague “Need help?” option.
The Facebook spokesperson did concede that the verification method “isn’t the best way to go about this” and stated that it would end the practice of asking for email passwords, although a timeline was not provided.
The email password fiasco comes just weeks after it was learned that Facebook stored passwords for hundreds of millions of users unencrypted on internal company servers.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.