It hasn’t even been a month since Facebook admitted that it stored millions of user passwords in plaintext on its servers. Now, Facebook wants some users to hand over their email account passwords if they want to use the social media platform.
This sketchy behavior by Facebook was first spotted by e-Sushi, an anonymous security researcher, and reported by the Daily Beast. Apparently, new users detected as suspicious by Facebook’s systems were directed to a dialogue box asking them for their email password in order to verify their accounts.
This new move by Facebook actually amounts to phishing because it asks users to provide the password for the email account they used to sign up on the platform.
There is a form field below the message which specifically asks for the users’ “email password.” You can read the complete message shown on the sign-in page —
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
It is to be noted that users who tried to register with certain email providers, including Yandex and GMX, were asked to confirm their email address by submitting their password directly to Facebook.
However, other users of email providers like Google’s Gmail do not see this option because Gmail uses the authorization tool OAuth — to securely verify your identity without asking for your password.
Moreover, if a new user chooses to enter their e-mail account password into Facebook, another pop-up appears stating that Facebook is “importing contacts” — without even asking for user consent.
Facebook, in its defense, says that this screen was shown only to a small number of people and it was intended to save people from going through an extra step while signing up for a Facebook account.
“People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email,” a Facebook spokesperson told the Daily Beast. “That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”