DUMPSTER FIRE Facebook has been caught asking users to hand over passwords for their personal email accounts in order to sign-up to the social network.
The practice, which has been slammed as "beyond sketchy" by security experts, was first uncovered by security pundit e-Sushi and replicated by the Daily Beast, just two weeks after Facebook was found to have stored 'hundreds of millions' of user passwords in plaintext.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) March 31, 2019
New users signing up to the privacy-unaware social network are shown a dialogue box demanding that they enter their email password so that Facebook could verify the address.
"To continue using Facebook, you'll need to confirm your email," the message says, followed by a form asking for users' email password.
Business Insider, which reports that that the pop-up appears when users try to register with certain email providers including Yandex and GMX, found that if a user chooses to enter their email account password, another pop-up appears saying that Facebook is "importing contacts", despite not asking the user for permission to do so.
"It is not immediately clear if this tool actually imports these contacts, as it apparently didn't pull in contact list entries we made for the purposes of testing, though these contacts were only minutes-old," the report notes.
In a statement, Facebook said users retain the option of bypassing the password demand and activating their account through more conventional means.
"People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email," a spokesperson said.
"That said, we understand the password verification option isn't the best way to go about this, so we are going to stop offering it." µ
Slack, hack and crack
A flaw in the protocol affects iOS, macOS and Windows 10
Wig wearer has issue with non-wig-wearer