Facebook has been prompting some users registering for the first time to hand over the passwords to their email accounts, the Daily Beast reported on Wednesday—a practice that blares right past questionable and into “beyond sketchy” territory, security consultant Jake Williams told the Beast.
A Twitter account using the handle @originalesushi first posted an image of the screen several days ago, in which new users are told they can confirm their third-party email addresses “automatically” by giving Facebook their login credentials. The Beast wrote that the prompt appeared to trigger under circumstances where Facebook might think a sign-up attempt is “suspicious,” and confirmed it on their end by “using a disposable webmail address and connecting through a VPN in Romania.”
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
It is never, ever advisable for a user to give out their email password to anyone, except possibly to a 100 per cent verified account administrator when no other option exists (which there should be). Email accounts tend to be primary gateways into the rest of the web, because a valid one is usually necessary to register accounts on everything from banks and financial institutions to social media accounts and porn sites. They obviously also contain copies of every un-deleted message ever sent to or from that address, as well as additional information like contact lists. It is for this reason that email password requests are one of the most obvious hallmarks of a phishing scam.
“That’s beyond sketchy,” Williams told the Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”
“This is basically indistinguishable to a phishing attack,” Electronic Frontier Foundation security researcher Bennett Cyphers told Business Insider. “This is bad on so many levels. It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up… No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does.”
A Facebook spokesperson confirmed in a statement to Gizmodo that this screen appears for some users signing up for the first time, though the company wrote, “These passwords are not stored by Facebook.” It additionally characterised the number of users it asks for email passwords as “very small.” Those presented with the screen were signing up on desktop while using email addresses that did not support OAuth—an open standard for allowing third parties authenticated access to assets (such as for the purpose of verifying identities) without sharing login credentials. OAuth is typically a standard feature of major email providers.
Facebook noted in the statement that those users presented with this screen could opt out of sharing passwords and use another verification method such as email or phone. The company also said it would be ending the practice of asking for email passwords.
“People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email,” the spokesperson wrote. “That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”
However, those other options could only be reached by clicking the “Need help?” button seen in the above screenshot, which is not an obvious manner of communicating that there are other options.
Business Insider found that signing up for an account using this method additionally prompts users that Facebook is “importing contacts” without asking for permission, though it was not “immediately clear if this tool actually imports these contacts”:
Business Insider has also found that if a new user chooses to enter their email account password into Facebook, a pop-up appears saying that Facebook is “importing contacts” — despite not asking the user for permission to do so. It is not immediately clear if this tool actually imports these contacts, as it apparently didn’t pull in contact list entries we made for the purposes of testing, though these contacts were only minutes-old.
Reached over phone, a Facebook spokesperson confirmed that handing over email login credentials has been “offered for years” and that the “The intent of this option was simply to confirm the account.” The spokesperson said they did not know whether Facebook had accessed any data in accounts it obtained passwords to—such as contact lists, which it uses to fuel features like its People You May Know system—but would follow up with an answer. (We’ll update this article if we hear back.)
While Facebook said that it did not store the passwords, it has also used ostensible security features such as two-factor authentication as a pretext to spam users’ phones with text messages and wrangle up phone numbers for targeted advertising. Facebook has also in the past issued contradictory statements about what kind of data it collects (such as call data and app usage on its Portal video phones), launched pseudo-VPN apps that vacuumed up user data, and seemingly obfuscated how users could control whether it obtains call and text data. Late last month, news leaked it stored hundreds of millions of users’ passwords in plaintext.