Credit: The Hacker News
Facebook has been caught practicing the worst ever user-verification mechanism that could put the security of its users at risk.
Generally, social media or any other online service asks users to confirm a secret code or a unique URL sent to the email address they provided for the account registration.
However, Facebook has been found asking some newly-registered users to provide the social network with the passwords to their email accounts, which according to security experts is a terrible idea that could threaten privacy and security of its users.
First noticed by Twitter account e-Sushi using the handle @originalesushi, Facebook has been prompting users to hand over their passwords for third-party email services, so that the company can “automatically” verify their email addresses.
However, the prompt only appears for email accounts from certain email providers which Facebook considers to be suspicious.
“Tested it myself registering 3 times with 3 different emails using 3 different IPs and 2 different browsers. 2 out of 3 times I faced that email password verification thing right after clicking “register account” on their front page sign up form,” e-Sushi said in a tweet.
“By going down that road, you’re practically fishing for passwords you are not supposed to know!”
It’s ironic that this news came just two weeks after Facebook admitted that it mistakenly stored passwords for “hundreds of millions” of its users insecurely in plaintext for years in company logs which were accessible to 2,000 Facebook employees.
In a statement provided to the Daily Beast, Facebook confirmed the existence of such “dubious” verification process but also claimed it doesn’t store the user-provided email passwords on its server.
Facebook also said it would end the practice of asking for email passwords altogether.
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook said.
Facebook also noted that the users asked for their email passwords as a means of verifying their accounts could opt for other verification methods such as a passcode sent to their phone number or a link to their email address by clicking the “Need help?” button on the page.
The bottom line: As always recommended, you are never, ever advised to share your email password with anyone, or enter it into any website or any social media service, except the email service for which it is intended in order to avoid your passwords being stolen using “phishing attacks.”