- Another teen arrested for making domestic terror threats on iFunny 5 Months Ago
- How to stream the LA Galaxy vs. Cruz Azul Leagues Cup semifinal match 5 Months Ago
- Going broke over the App Store? Here’s how to turn off in-app purchases 5 Months Ago
- Jill Biden says even if you don’t like Joe Biden, you need to vote for Joe Biden 5 Months Ago
- Report on ideal thermostat temperature brings out the dad jokes Today 10:28 AM
- Edited videos of Portland protests are telling half-truths Today 10:20 AM
- Netflix debuts upcoming releases section on the Netflix TV app Today 9:29 AM
- Marianne Williams announces plan for a Department of Peace Today 8:53 AM
- PewDiePie marries Marzia—and shares photos of YouTube’s royal wedding Today 8:35 AM
- How to stream Club América vs. Tigres UANL in the Leagues Cup semis Today 8:17 AM
- Deadpool unmasked: Here’s everything you need to know about Marvel’s anti-hero Today 7:53 AM
- Fantasy football 2019: Your team-by-team AFC preview Today 7:45 AM
- Invader Zim is still delightfully weird in ‘Enter the Florpus’ Today 7:00 AM
- ‘Spider-Man: Far From Home’ is getting a totally unnecessary re-release Today 6:43 AM
- People are demanding the man who filmed the killing of Eric Garner be freed with #FreeRamsey Monday 7:36 PM
Facebook has been asking some users to give up the password to their private email accounts while signing up for the social media site, the Daily Beast reports.
The discovery was first revealed by a Twitter user earlier this week, who accused Facebook of “practically fishing for passwords you are not supposed to know!”
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) March 31, 2019
The email password request is reportedly made when new users engage in what Facebook believes could be suspicious behavior, such as registering while connected through a VPN or using certain email domains.
By providing the password to the email account being used to sign up, Facebook says it can confirm whether a new user is legitimate. Such practices, however, are completely ill-advised, as they mirror what would happen during a phishing attack, potentially leading users to believe such requests are normal.
Speaking with Business Insider, Bennett Cyphers, a security researcher with the Electronic Frontier Foundation, described Facebook’s actions as an “absurd overreach.”
“Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it,” Cyphers said. “No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does. This goes against all conventional security wisdom, basic decency, and common sense.”
To make matters worse, users who give up their private email password are then informed that their email contacts have been “imported” to Facebook, despite the social media company failing to ask for permission.
In a statement to the Daily Beast, Facebook defended the practice by arguing that it did not store the passwords.
“A very small group of people have the option of entering their email password to verify their account when they sign up for Facebook for the first time,” the spokesperson said.
And although Facebook says emails can be verified by other means, doing so requires users to click the vague “Need help?” option.
The Facebook spokesperson did concede that the verification method “isn’t the best way to go about this” and stated that it would end the practice of asking for email passwords, although a timeline was not provided.
The email password fiasco comes just weeks after it was learned that Facebook stored passwords for hundreds of millions of users unencrypted on internal company servers.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.