It hasn’t even been a month since Facebook admitted that it stored millions of userpasswords in plaintexton its servers. Now, Facebook wants some users to hand over their email account passwords if they want to use the social media platform.
This sketchy behavior by Facebook was first spotted by e-Sushi, an anonymous security researcher, and reported by theDaily Beast. Apparently, newusers detected as suspiciousby Facebook’s systems were directed to a dialogue box asking them for their email password in order toverify their accounts.
There is a form field below the message which specifically asks for the users’ “email password.” you may read the complete message shown on the sign-in page —
https://twitter.com/originalesushi/status/1112496649891430401
It is to be noted that users who tried to register with certain email providers, includingYandex and GMX, were asked to confirm their email address by submitting their password directly to Facebook.
However, other users of email providers like Google’sGmail do not see this optionbecause Gmail uses the authorization tool OAuth — to securely verify your identity without asking for your password.
Moreover, if a new user chooses to enter their e-mail account password into Facebook, another pop-up appears stating that Facebook is “importing contacts” — without even asking for user consent.
Facebook, in its defense, says that this screen was shown only to a small number of people and it was intended to save people from going through anextra step while signing upfor a Facebook account.
“People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email,”a Facebook spokesperson told the Daily Beast.“That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”
