Facebook has been asking some users to give up the password to their private email accounts while signing up for the social media site, the Daily Beast reports.
The discovery was first revealed by a Twitter user earlier this week, who accused Facebook of “practically fishing for passwords you are not supposed to know!”
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
The email password request is reportedly made when new users engage in what Facebook believes could be suspicious behavior, such as registering while connected through a VPN or using certain email domains.
By providing the password to the email account being used to sign up, Facebook says it can confirm whether a new user is legitimate. Such practices, however, are completely ill-advised, as they mirror what would happen during a phishing attack, potentially leading users to believe such requests are normal.
Speaking with Business Insider, Bennett Cyphers, a security researcher with the Electronic Frontier Foundation, described Facebook’s actions as an “absurd overreach.”
“Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it,” Cyphers said. “No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does. This goes against all conventional security wisdom, basic decency, and common sense.”
To make matters worse, users who give up their private email password are then informed that their email contacts have been “imported” to Facebook, despite the social media company failing to ask for permission.
In a statement to the Daily Beast, Facebook defended the practice by arguing that it did not store the passwords.
“A very small group of people have the option of entering their email password to verify their account when they sign up for Facebook for the first time,” the spokesperson said.
And although Facebook says emails can be verified by other means, doing so requires users to click the vague “Need help?” option.
The Facebook spokesperson did concede that the verification method “isn’t the best way to go about this” and stated that it would end the practice of asking for email passwords, although a timeline was not provided.
The email password fiasco comes just weeks after it was learned that Facebook stored passwords for hundreds of millions of users unencrypted on internal company servers.