Facebook Wants Your Passwords… For Legitimate Reasons?
As if it wasn’t bad enough that they had been storing millions of users’ passwords in plaintext, with over 2000 internal employees having access to them, Facebook have made another whoopsie.
It has been revealed that Facebook are using pretty much the worst user-verification available, adding more of a security risk for their users. When you sign up from a non-standard email address, for example not using gmail or Hotmail email address, and the circumstances seem a little suspicious, such as using a VPN, Facebook tries to verify you are legitimate by asking for your email password.
This was discovered by Twitter user @originalesushi, who said, “Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you’re practically fishing for passwords you are not supposed to know!”
We couldn’t agree more. You definitely wouldn’t find this in any other company’s best practice handbooks. Perhaps they read from the worst practice handbook by mistake!
Of course, Facebook came out with their shields up, stating that it was possible to bypass this by clicking the “need help?” button to select a different method, although that is not clear at all on the login form. They also said that the password is not stored on any Facebook servers and that it is “automatically verified” instead, however they did agree that it is not the best method of verification and have removed it as an option completely, leading us to think that maybe they weren’t so confident it was 100% above board.
Just to confirm, best practice is to never give your email password to anyone, for any reason. They are normally phishing attempts to gain access to your accounts. Of course, we wouldn’t insinuate that Facebook are trying to get hold of more data than they need, but it is yet another dubious practice and users’ faith in the company has been dwindling enough recently already. Surely it must be time to eradicate these security issues once and for all to make a point!
EDIT:
It’s hard to keep up with Facebook’s woes! Yet more news has come out before I even managed to get this one up.
Over 540 million users’ data has been discovered on unprotected Amazon cloud servers. Data includes 146GB of data collected by a third party developer from Mexico called Cultura Colectiva. Amongst the details collected are comments, likes, reactions, names, user IDs and more.
A second dataset contained records on much fewer people at 22,000, but actually contained email addresses and passwords for their linked account on an app called “At the Pool” which may correspond to their Facebook passwords as around 70% of internet users reuse the same passwords across many accounts.
It is worth noting that Facebook have tightened control over what third-party developers have access to, but it seems to be a little too late for many users as their details are already out there and spread across the web.