Social media giant Facebook has been embroiled in quite a lot of controversies in the last one year alone, starting off with the Cambridge Analytica data collection scandal, to a new report now that the company is asking some new users for passwords to their email accounts as a means of verifying their identity.
If that scares you, it should. According to the Daily Beast, which first reported the issue, some new users are being prompted by Facebook to provide their email passwords when they try to sign up for the social media platform, in what security consultant Jake Williams says is a practice that blows right past questionable, and into “beyond sketchy” territory by the company.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
According to reports, the prompt appears when Facebook thinks a sign-up attempt is suspicious, and, apparently, the option only appears for email addresses that don’t support OAuth — a standard that’s adopted by almost all major email providers.
As you might expect, providing your password to anyone, let alone a company that’s probably the least trusted technology company these days, is a terrible idea. In a statement given to Gizmodo, a Facebook spokesperson claimed that “these passwords are not stored by Facebook,” and added that the prompt only appeared for a “very small” number of users.
The company also clarified that people presented with this option could always choose to authenticate by other means, such as their phone number or email address. However, those options are hidden inside the “Need Help?” button that isn’t exactly the clearest way of letting a user know that they have other options for verifying their identity on the platform.
What’s worse, is that Business Insider found out that signing up for an account by using this method prompts the user that Facebook is importing their contacts as well, but it’s not clear if contacts were actually imported.
Anyway, Facebook has confirmed that the company will stop the practice of asking users for their passwords, but the fact that it did this anyway and didn’t stop until it was reported on, puts yet another mark on its ‘not-so-clean’ record when it comes to user privacy and data.
Facebook has seen itself at the center of a number of major controversies, including things like launching a VPN app that captured users’ data, using 2FA as a way to spam users’ phones with text messages and to get their phone numbers for targeted ads. Last month, it was also found out that the company reportedly stored millions of passwords in plaintext. Needless to say, this latest addition to Facebook’s long list of privacy and security practices isn’t going to help the company regain user trust any time soon.