Facebook seems to be continually doing a “hold my beer” moments to itself, always outdoing their own privacy debacles, one after another. Just a couple of weeks after admitting that they were storing hundreds of millions of users’ passwords in unencrypted documents, it looks like another scandal has erupted as they seem to be asking for users’ email passwords in order to verify their account and continue using the social network. Even normal, non-tech people would know off the bat that this is something they shouldn’t be doing.
Some users are interrupted from their regular Facebook scrolling by an interstitial that asks them for the password of the email that they used to sign up for the network. Note that this isn’t your actual Facebook password but to your email, which of course they have no business asking. It says “To continue using Facebook, you’ll need to confirm your email” and then below that there’s a field for the email password.
While Facebook assured users that they do not store the email passwords, they eventually pulled this practice as they realized it “isn’t the best way to go about this”. Makes you really wonder why no one within the company flagged this earlier. But now they say that users can bypass this “demand” and can use other means of activating their account like sending a code to their phone or sending a link to their email.
Just a couple of weeks ago, the issue with the unsecured storage of passwords erupted so you can’t really be confident with giving any kind of password to Facebook. Even typing in your phone number to get that code isn’t really that secure as last year, they allowed their advertisers to target those who did that and even made the numbers searchable.
Are we going to reach a breaking point soon and collectively say to Facebook, “Enough is enough”? While some have vocally left the platform for various reasons, a lot of which are privacy-related, they still have a significantly huge user base, enough to still lord it over the digital world. We’ll know soon enough if we’re close to that tipping point as we expect more privacy scandals to happen soon.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
VIA: The Daily Beast