Facebook is facing yet another security controversy. This time, the social media giant is accused of utilizing phishing tactics on new users.
Facebook has certainly had a number of controversies in the last year or so. We’ve seen Facebook suffer from a data breach where 50 million accounts were exposed. Then, there was the Cambridge Analytica scandal. On top of that, they made a controversial move to ban talking about some forms of sexuality.
Now, Facebook is facing a fresh round of controversy. This time, it affects users who are signing up. More specifically, it affects users who sign up with a Yandex or a GMX e-mail account. The Electronic Frontier Foundation EFF offers a full explanation and screen shots of exactly went down.
When a user signed up with a Yandex e-mail account, Facebook then prompts the user to confirm their e-mail address. Some website do this, but in this case, Facebook explicitly asks for the users e-mail password. Once entered, both e-mail and password were sent directly to Facebook. It’s worth noting that before the confirmation process begins, a standard confirmation e-mail to the users inbox. Meanwhile, in order to possibly by-pass this, you needed to click on a “Need Help” link to see that you didn’t need to send Facebook your e-mail password at all.
So, the question is, why did Facebook need the e-mail password? It turns out, after “authenticating” the e-mail, Facebook then proceeded to rummage through the e-mail account and attempt to obtain links to friends. The idea seems to be that it would import contact details of the users friends and link them directly on Facebook. The EFF then concludes their experience with the following:
Somewhere in a cavernous, evaporative cooled datacenter, one of millions of blinking Facebook servers took our credentials, used them to authenticate to our private email account, and tried to pull information about all of our contacts.
After clicking Continue, we were dumped into the Facebook home page, email successfully “confirmed,” and our privacy thoroughly violated.
The EFF explains that this has nothing to do with security and more to do with pulling as much data out of their users as possible. What’s immediately controversial is the fact that there isn’t really much telling users why Facebook is “authenticating” until long after the data is pulled from the users. Then there is the security concern that you are giving your login credentials to a third party in the first place.
Additionally, actual phishing tactics follows this same tactic where they say they need to confirm something. In order to do this, phishers request the users login credentials for the purpose of harvesting that information. In turn, they use that information for nefarious purposes. So, when a legitimate company starts using these tactics, that makes it harder to differentiate between someone targeting you for login credentials and a legitimate companies efforts. How are security experts supposed to educate the public about phishing when actual companies use the same tactics? Most obviously point out that there is no reason a real company would ask for this kind of information in the first place.
Facebook has responded to the controversy. According to digital Information World, the company said that this feature is going to be discontinued soon.
For a lot of critics, this is just another instance that Facebook does not do enough to protect their users. Whether it’s political interference allegations or security or who knows what else is in store for the company, it doesn’t look like Facebook is going to be escaping controversy any time soon.
Drew Wilson on Twitter: @icecube85 and Google+.
