Facebook is ironically asking some of its new users to hand over their email ID passwords as a verification process to authenticate new Facebook accounts.
The San Fransisco based social-media behemoth Facebook Inc. (NASDAQ: FB) is making a prompt to some of its new users to reveal the password of their personal email ID – used while signing up with Facebook – to regain admittance to Facebook.
Whenever unsuspecting users try to sign into their Facebook account, the login tool proposes to “confirm your email address” by entering the password immediately, as reported by The Daily Beast already.
The cybersecurity adroit e-sushi in a Twitter handle reportedly exposed the Facebook’s sarcasm of necessitating the new users to inscribe the password of the email ID attached to Facebook on their log-in screen. The prompt message goes like, “To continue using Facebook, you’ll need to confirm your email,” which is then subsequently demanding users to produce the personal email ID’s password. After entering the email ID another pop-up prompts stating that Facebook is “importing contacts”, nevertheless asking the user for permission to access their personal email id’s contacts.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
With Facebook already in the clutches of recent privacy crisis, this new tool that exploits the user’s email id passwords for reaping unauthorised user’s contacts, sorts as a defective prominence for Facebook.
Whereby the request to enter the email id password is completely unclear at the instant of consequence. Facebook might have been doing so to authenticate user details, but demanding the sensitive password is utterly a deceiving move.
Nonetheless, the organisation is also extending an alternate option to detour password request by initiating the account through regular standard methods like code verification sent to a mobile phone or activating link sent to email ID. These alternative opportunities to verify the new joiners will be presented on clicking “Need help?” option present on the corner top right side end of the page.
It has been just two weeks after Facebook was reported to have collected ‘hundreds of millions’ of user passwords in ordinary plaintext. The company was found storing passwords of about 200-600 million users in plain text, which was accessible for over 20,000 Facebook employees.
Soon after The Daily Beast’s announcement, Facebook declared that it doesn’t save and collect any data. The company also added that it will stop the system of inquiring passwords completely. In a statement, Facebook said,
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”
Although the pop-up asking users to confirm their email ID also states “Facebook won’t store your password” just beneath the password field, but how protected the keyed-in data are, given Facebook’s record, is an uproarious discussion for another day. This particular statement comes right after Facebook admitted to having amassed 600 million user-email-passwords in plain text that is made freely accessible by its employees.
“This is basically indistinguishable to a phishing attack…This is bad on so many levels. It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up,” Bennett Cyphers, a security researcher working with the EFF told the publication.