In a highly shady move, the social network has been caught asking some users for the password to the email account they registered with Facebook, reports the Daily Beast. In the notification that pops up for some users, Facebook says it needs to verify they are who they say they are, and one way to do this is to hand over the password to their email account. The request was first noticed by a user on Twitter:
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
The demand from Facebook reads: “To continue using Facebook, you’ll need to confirm your email address. Because you signed up with [email address], you can do this automatically though [email provider].”
In a statement to the Daily Beast, a Facebook spokesperson said that the message offered users the option of not handing over their email’s password and instead having “a code sent to their phone or a link sent to their email.” However, those options were only visible if the user clicked a “Need help?” link in the corner of the notification.
Small text in the notification reads, “Facebook won’t store your password”—but I would find it hard to trust Facebook on that. After all, Facebook previously leveraged your personal phone number it claimed to collect for security purposes in ways it didn’t tell you about.
The Facebook spokesperson added, “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”