Facebook has been in news for one reason or another, whereas it has a deep relationship related to online security and privacy. Lately, Facebook has been asking its new members to provide their personal email-ID's passwords.
Generally, it is advised by the cyber security experts that people should not share their passwords and only use it for the right purpose. As cybercriminals are very active and a little mistake could lead to phishing attacks and all the personal data could be stolen.
According to TheDailyBeast and Business Insider, whenever a new member is getting registered using an email of a certain provider, be it GMX or Yandex, they are asked to confirm their email and the passwords to be typed in on the Facebook directly.
Google’s Gmail along with a few other email providers, does not see this option as it uses the OAuth, an authorization tool which verifies the identity of the user without asking you to put your password.
According to another finding by Rob Price, whenever a user enters the password of their email on Facebook, a pop-up appears which says that Facebook is importing contacts. No permission or consent of users is taken in this regard. Whereas it is still not sure whether the contacts are actually imported or not.
Spokesperson of Facebook has said that this feature will soon be discontinued, without mentioning any time period. Bennett Cyphers, a security researcher of Electronic Frontier said that this is an act closer to phishing as people are never advised to put in passwords of their accounts other the platform these were created on.
He continued saying that Facebook has been asking a price of signing up in the form of contacts. Even if the user with his own consent updates his contacts, even then Facebook should not ask for passwords. He declared it an act against basic decency, and common sense as no one should be trusted with passwords.
Troy Hunt, a security researcher and the creator of Have I Been Pwned, said it’s a security anti-pattern insofar and a "bad practice", as one platform is asking for the password for another service. It seems unnecessary even if the passwords are taken care of by Facebook.
Facebook mentions while asking for passwords that these passwords will not be stored by Facebook, though this cannot be checked on an individual level. It also has been revealed recently that the company was storing passwords of millions of users in plain text.
The spokesperson of the social media giant said that Facebook does not store passwords, and only a few people were given the option to enter their passwords for verification. Other than this, people are also given the option to confirm their accounts through a code sent to their mobile phones or through an email link.
Though Facebook has realized that it is not the best practice, therefore this option will be discontinued.
Read Next: Facebook's lack of 'privacy' scrutiny leaves millions of user's data exposed on public servers
Featured photo: Jason Henry / The New York Times
Generally, it is advised by the cyber security experts that people should not share their passwords and only use it for the right purpose. As cybercriminals are very active and a little mistake could lead to phishing attacks and all the personal data could be stolen.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) March 31, 2019
According to TheDailyBeast and Business Insider, whenever a new member is getting registered using an email of a certain provider, be it GMX or Yandex, they are asked to confirm their email and the passwords to be typed in on the Facebook directly.
Google’s Gmail along with a few other email providers, does not see this option as it uses the OAuth, an authorization tool which verifies the identity of the user without asking you to put your password.
According to another finding by Rob Price, whenever a user enters the password of their email on Facebook, a pop-up appears which says that Facebook is importing contacts. No permission or consent of users is taken in this regard. Whereas it is still not sure whether the contacts are actually imported or not.
Here’s an example of what you see when you sign up (with a throwaway account), and and after you enter your password. Note that it never asked for permission before "importing contacts." pic.twitter.com/pnB9M74OC0— Rob Price (@robaeprice) April 3, 2019
Spokesperson of Facebook has said that this feature will soon be discontinued, without mentioning any time period. Bennett Cyphers, a security researcher of Electronic Frontier said that this is an act closer to phishing as people are never advised to put in passwords of their accounts other the platform these were created on.
He continued saying that Facebook has been asking a price of signing up in the form of contacts. Even if the user with his own consent updates his contacts, even then Facebook should not ask for passwords. He declared it an act against basic decency, and common sense as no one should be trusted with passwords.
Troy Hunt, a security researcher and the creator of Have I Been Pwned, said it’s a security anti-pattern insofar and a "bad practice", as one platform is asking for the password for another service. It seems unnecessary even if the passwords are taken care of by Facebook.
Facebook mentions while asking for passwords that these passwords will not be stored by Facebook, though this cannot be checked on an individual level. It also has been revealed recently that the company was storing passwords of millions of users in plain text.
The spokesperson of the social media giant said that Facebook does not store passwords, and only a few people were given the option to enter their passwords for verification. Other than this, people are also given the option to confirm their accounts through a code sent to their mobile phones or through an email link.
Though Facebook has realized that it is not the best practice, therefore this option will be discontinued.
Read Next: Facebook's lack of 'privacy' scrutiny leaves millions of user's data exposed on public servers
Featured photo: Jason Henry / The New York Times