Facebook has been caught practicing the worst ever user-verification mechanism that could put the security of its users at risk.
Generally, social media or any other online service asks users to confirm a secret code or a unique URL sent to the email address they provided for the account registration.
However, Facebook has been found asking some newly-registered users to provide the social network with the passwords to their email accounts, which according to security experts is a terrible idea that could threaten privacy and security of its users.
First noticed by Twitter account e-Sushi using the handle @originalesushi, Facebook has been prompting users to hand over their passwords for third-party email services, so that the company can “automatically” verify their email addresses.
However, the prompt only appears for email accounts from certain email providers which Facebook considers to be suspicious.
“Tested it myself registering 3 times with 3 different emails using 3 different IPs and 2 different browsers. 2 out of 3 times I faced that email password verification thing right after clicking “register account” on their front page sign up form,” e-Sushi said in a tweet.
“By going down that road, you’re practically fishing for passwords you are not supposed to know!”
It’s ironic that this news came just two weeks after Facebook admitted that it mistakenly stored passwords for “hundreds of millions” of its users insecurely in plaintext for years in company logs which were accessible to 2,000 Facebook employees.
In a statement provided to the Daily Beast, Facebook confirmed the existence of such “dubious” verification process but also claimed it doesn’t store the user-provided email passwords on its server.
images from Hacker News