Facebook has faced multiple allegations of cyber security risks in the past few years. The California-based tech company has been repeatedly slammed by lawmakers and cybersecurity advocates for allegedly violating the privacy of billions of their users including in other platforms that the company owns such as WhatsApp and Instagram.
This week, Facebook was once again caught by tech researchers to having questionable privacy policies. The tech giant is said to have been practicing the worst user-verification mechanism ever, and experts say that the problematic verification method can put all of its users in serious cyber risk.
Twitter user e-Sushi using the handle @orhinalesushi, a tech expert who posts his discoveries on his Twitter account revealed that Facebook had been found asking their newly-registered users to provide the passwords for the sign-up email they used so that the platform can easily verify the identity of the user. According to security experts, this type of user-verification is a “terrible idea” and could threaten the privacy and security of its users.
The passwords that Facebook are asking are the ones used by the user in their third-party email service saying that this would “automatically” verify their email addresses. But the prompt would only appear for email accounts from certain email providers that the algorithm considers to be suspicious.
“Tested it myself, registering three times with three different emails using three different IPs and two different browsers. Two out of three times, I face that email password verification thing right after clicking “register account” on their front page sign-up form,” e-Sushi wrote in a tweet.
According to the tech expert, by doing that, Facebook essentially fishes for passwords that they should not know (because they are for a third-party account).
Ironically, the news about the unsafe user verification practice of Facebook comes two weeks after the tech giant has admitted that they have been keeping the passwords of their users in plaintext, allowing anyone who has access to the database where the passwords were saved to use them readily.
Facebook confirmed that hundred and millions of user passwords were being stored in a “readable form” that allows thousands of its employees to access and understand it. While Facebook has already notified the users affected by the password leak, the California-based tech company has assured that none of its employees violated any privacy protocols in handling the exposed database.
Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.
Facebook said that the issue is an internal one. “To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati wrote.
Nonetheless, Facebook also assured users that the newly discovered problematic user verification process would not be used anymore. In a statement from a spokesperson from Facebook, they confirmed the existence of such “dubious” verification process but also claimed that it doesn’t store the user-provided email passwords on its servers.
“We understand the password verification option is not the best way to go about this, so we are going to stop offering it,” Facebook said in a statement.
Facebook also said that if the users prefer not to use this specific email verification process, they can opt to use other available methods such as passcode sent to their phone number or a link to their email address by clicking the “Need help?” button on the page.
Aside from the “readable” password controversy, the tech company was also involved in other security concern scandals including the hacking of 30 million Facebook accounts using stolen access tokens in October 2019 and the admittance of Facebook that public data of 2.2 billion users were compromised in April 2018.
Out of the 30 million hacked Facebook accounts, hackers successfully accessed personal information from more than 29 million Facebook users, although the company assured that the hackers were not able to access any third-party app data.
Furthermore, the tech company was also slammed for paying teenagers $20 for their servers to collect their private data.