Mark Zuckerberg admitted recently that Facebook doesn’t have a ‘strong reputation’ for privacy. An odd new request for personal information probably won’t help with that rep.
Just two weeks after admitting it stored hundreds of millions of its users’ own passwords insecurely, Facebook is demanding some users to fork over the password for their outside email account as the price of admission to the social network.
Facebook users are being interrupted by an interstitial demanding they provide the password for the e-mail account they gave to Facebook once signing up.
“To continue using Facebook, you’ll have to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”
A form below the message asked for the users’ “email password.”
“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast.
“They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”
In a statement emailed to The Daily Beast after this story published, Facebook reiterated its claim it doesn’t store the e-mail passwords. However the corporate conjointly announced it’ll end the practice altogether.
“We understand the password verification option isn’t the best way to go about this, therefore we are going to stop offering it,” Facebook wrote.
It’s not clear how widely the new measure was deployed, however in its statement Facebook said users retain the option of bypassing the password demand and activating their account through more standard means, like “a code sent to their phone or a link sent to their email.” Those options are presented to users who click on the words “Need help?” in one corner of the page.
The additional login step was noticed over the weekend by a cybersecurity watcher on Twitter called “e-sushi.” The Daily Beast tested the claim by establishing a new Facebook account under circumstances the company’s system might flag as suspicious, using a disposable webmail address and connecting through a VPN in Romania. A reporter was taken to the same screen demanding the e-mail password.
“By going down that road, you’re practically fishing for passwords you’re not supposed to know!,” e-sushi wrote in a tweet.
Small print below the password field promises, “Facebook won’t store your password.” however the corporate has recently been criticized for repurposing information it originally acquired for “security” reasons.
Last year Facebook was caught allowing advertisers to target its users using phone numbers users provided for two-factor authentication; users handed over their numbers so Facebook could send a text message with a secret code once they log in. more recently the corporate drew the ire of privacy advocates once it began making those phone numbers searchable, therefore anyone can find the matching user “in defiance of user expectations and security best practices,” wrote the Electronic Frontier Foundation, a civil liberties group.
Facebook conjointly has a checkered history when it comes to securely handling passwords. Last month the corporate acknowledged that unencrypted passwords for hundreds of millions of its users had been stored for years in company logs accessible to 2,000 employees.
Last month, amid a steady drum beat of fresh privacy scandals, Facebook founder Mark Zuckerberg unleashed a thousand-word manifesto describing a new “privacy-focused vision” for the company designed on strong encryption and cutting-edge security tools.
Even then, Zuckerberg acknowledged that Facebook’s putative pivot-to-privacy would meet with some skepticism. “Frankly we don’t currently have a strong reputation for building privacy protective services.”