Facebook wants some new users to give it the passwords to their third-party email accounts.
As The Daily Beast reported yesterday (April 2), some users are being interrupted, right after they register, by an interstitial pop-up stating that they need to provide the passwords to the email accounts they used to sign up for Facebook in order to "verify" their email address.
Facebook told The Daily Beast that it doesn't store those email passwords, which raises the question of why Facebook would want them in the first place. It also told The Daily Beast it will end the requests altogether.
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook said.
The company said users could opt to verify their email through links sent to their email or codes sent to their phone. However, to choose this option you have to go to the not-very-visible "Need help?" link in the corner of the page.
"Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view," tweeted cybersecurity researcher e-sushi, who discovered the additional login step. "By going down that road, you're practically fishing for passwords you are not supposed to know...This is practically a 'give #Facebook the secret password to your email account, or bust' kinda thing."
We've reached out to Facebook for additional comment on this report and will update this story when we receive a reply.
The Daily Beast noted that not every new user of Facebook would see these demands, but only those registration attempts that looked suspicious. The site got it to pop up by using a burner email address and a VPN that made it seem that the reporter was trying to set up an account from Romania. Likewise, e-sushi said he got the pop-up two of the three times he tried to register with a disposable email address.
Despite the fact that Facebook claims not to store these passwords, its track record here is not promising. Just a few weeks ago, the company admitted that it stored millions of Facebook, Facebook Lite and Instagram passwords in unencrypted plaintext on its internal servers, where Facebook employees could have seen them.
Last year, Facebook admitted that the mobile phone numbers users had provided in order to enable two-factor authentication, which Facebook had promised not to use for any other purpose, were in fact being used to target users' mobile phones with ads.