Usually when you sign up for a new online service and you’re required to activate your account, all you need to do is click on an activation link and you’re good to go. Unfortunately, for some reason, Facebook has decided to demand the passwords to the email accounts that new users are using to sign up for the service.This is according to a recent tweet by e-sushi who shared a screenshot where it showed Facebook asking for the email password of the user. Note that this password is not the password to the user’s Facebook account, but the password to the email that they used to sign up for Facebook, something that no one else, other than the user, should have.
Speaking to The Daily Beast, security consultant Jake Williams said, “That’s beyond sketchy. They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”
Facebook has since responded to the publication by saying, “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.” The company also reassures that it does not store email passwords, but then again we can’t say that with certainty. It is also unclear if Facebook would have continued with this practice had it not gotten the attention it did.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019