Facebook caught asking some new users for passwords to their email accounts
Some new Facebook users were taken aback when they were greeted with a page asking them to hand over the passwords to their personal email accounts as part of the signing-up process.
The issue was first noticed by e-Sushi, a well-known anonymous security researcher, and reported by the Daily Beast.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
“To continue using Facebook, you’ll need to confirm your email. Since you signed up with [email address], you can do that automatically through [email host website],” the message demands.
A form below the message asked for the users’ “email password.”
Apparently, the new Facebook users who were asked to give their email password were the ones who tried to register with certain email providers, including Yandex and GMX. However, Google’s Gmail does not see this option because Gmail uses the authorization tool OAuth that does not require users to enter their password.
Additionally, if a new user selects to enter their e-mail account password into Facebook, a pop-up appears saying that Facebook is “importing contacts” – without even asking the user for permission to do so.
However, in a statement, Facebook said prompt was only seen by a small number of users. They claimed it was meant to save people from an additional step while signing up for a Facebook account. They also said that the company does not store email passwords and that it would no longer ask for users’ email passwords.
“These passwords are not stored by Facebook. A very small group of people have the option of entering their email password to verify their account when they sign up for Facebook for the first time.
“People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email.
“That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” a Facebook spokesperson told the Daily Beast. The company also added that the process did not involve Facebook accessing people’s email inboxes.
The revelation comes at a time when Facebook which already has a tarnished image for slip-ups related to privacy and security acknowledged last month for storing passwords of approximately 200-600 million user-passwords in plain text on internal company servers rendering them searchable to as many as 20,000 company employees.