- People on Twitter ask whose ancestors would’ve passed immigrant ‘wealth test’ Monday 6:54 PM
- Kobe Bryant helicopter crash mocked in teen’s TikTok video Monday 6:38 PM
- Chiefs, Bears, Packers have Twitter accounts hacked Monday 3:48 PM
- Washington Post reporter suspended amid backlash over Kobe Bryant tweet Monday 3:08 PM
- America is united in hating Ken Starr’s impeachment hat Monday 3:01 PM
- In ‘Cuties,’ the contradictions of growing up come to a head Monday 1:55 PM
- Racist tweets blame fruit bat soup for coronavirus Monday 1:25 PM
- What is the #ILeftTheGOP movement? Monday 1:21 PM
- The Grammys were weird and sad—but the Billy Porter hat memes offered some levity Monday 12:36 PM
- Auschwitz Museum calls on Facebook to ban Holocaust denialism Monday 11:59 AM
- YouTuber who said his girlfriend was dead now says he faked it Monday 11:42 AM
- Review: Kentucky Route Zero is one of the most magical games ever made Monday 11:00 AM
- Backlash grows against Clearview as lawsuit looms Monday 10:58 AM
- Tyler the Creator calls out the Grammys for racism over ‘Rap Album’ win Monday 10:25 AM
- Democrats call on John Bolton to testify after book bombshell Monday 9:56 AM
Facebook has been asking some users to give up the password to their private email accounts while signing up for the social media site, the Daily Beast reports.
The discovery was first revealed by a Twitter user earlier this week, who accused Facebook of “practically fishing for passwords you are not supposed to know!”
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) March 31, 2019
The email password request is reportedly made when new users engage in what Facebook believes could be suspicious behavior, such as registering while connected through a VPN or using certain email domains.
By providing the password to the email account being used to sign up, Facebook says it can confirm whether a new user is legitimate. Such practices, however, are completely ill-advised, as they mirror what would happen during a phishing attack, potentially leading users to believe such requests are normal.
Speaking with Business Insider, Bennett Cyphers, a security researcher with the Electronic Frontier Foundation, described Facebook’s actions as an “absurd overreach.”
“Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it,” Cyphers said. “No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does. This goes against all conventional security wisdom, basic decency, and common sense.”
To make matters worse, users who give up their private email password are then informed that their email contacts have been “imported” to Facebook, despite the social media company failing to ask for permission.
In a statement to the Daily Beast, Facebook defended the practice by arguing that it did not store the passwords.
“A very small group of people have the option of entering their email password to verify their account when they sign up for Facebook for the first time,” the spokesperson said.
And although Facebook says emails can be verified by other means, doing so requires users to click the vague “Need help?” option.
The Facebook spokesperson did concede that the verification method “isn’t the best way to go about this” and stated that it would end the practice of asking for email passwords, although a timeline was not provided.
The email password fiasco comes just weeks after it was learned that Facebook stored passwords for hundreds of millions of users unencrypted on internal company servers.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.