Once again, Facebook is in the news for bad security practices, dark design patterns, and secretly reappropriating sensitive data meant for “authentication” to its own ends. Incredibly, this time, the company managed to accomplish all three in one fell swoop.
Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on Twitter, the unnervingly phishing-like process worked like this: any user who tried to create a new account on Facebook with an email from one of a few providers (including Yandex and GMX) was directed to a page that asked them to “Confirm [Their] Email”--by entering their email password.
Soon after the news was reported more widely by The Daily Beast and Business Insider, Facebook discontinued its verify-with-password program. EFF was made aware of the sign-up flow before the stories were published. Armed with a burner Yandex email and a fresh browsing session, we were able to experiment with the password-grabbing tool briefly before it was shut down.
First, we observed that when we clicked on the “Connect to yandex.com” button, our email and password were sent directly to Facebook. Do not pass go, do not “Connect” to the third-party service the password belongs to. Facebook might not have stored our password, but it certainly saw it.
At a glance, there didn’t appear to be any way to avoid signing up without compromising our email password in this way. However, in the background, the company had already sent a traditional “confirmation email” to Yandex. We could have closed this signup window, gone to our email, and opened the link from there. Boom, done, we’d be “Confirmed.” But oddly, we didn’t see any indication of that on the “Confirm” page at first. We had to click on “Need Help” in order to see a dialog informing us that, actually, there was no need for a password at all.
The Plot Thickens
In a statement, Facebook said it gave people “the option” to enter their password in order to verify their account. But why did the company build this tool at all? Asking for passwords you don’t need is a classic security anti-pattern: a commonly reinvented, bad solution to a common problem. Facebook is a huge company with plenty of security engineers on its payroll. Surely someone must have identified this as a terrible idea. And users around the web are familiar with the need to verify accounts with a click in a confirmation email; there was no reason to reinvent the wheel.
So why was Facebook’s design so intent on getting users to input their passwords?
It makes more sense in the context of what happened next.
When we clicked “Connect to yandex.com,” an overlay with a status bar appeared. “Authenticating,” it said. But wait—“Importing contacts?” When did that happen? What? How? Why??
Our fake profile didn’t have any linkable Facebook friends, but the tool went through our contacts anyway. After a short time where the status bar informed us that it had found 0 contacts so far, this message popped up:
Somewhere in a cavernous, evaporative cooled datacenter, one of millions of blinking Facebook servers took our credentials, used them to authenticate to our private email account, and tried to pull information about all of our contacts.
After clicking Continue, we were dumped into the Facebook home page, email successfully “confirmed,” and our privacy thoroughly violated.
It’s not about security. It’s about your data.
Some more digging around Facebook’s website reveals that this isn’t the only place it asks for your email password and then uses it to import contact data. In fact, the “confirmation” flow that we tested appears to be a reskinned version of a tool that Facebook calls “Find Your Friends.” (We were tipped off to the existence of the tool by Rob Price of Business Insider.) After we had signed up for our new account, we were ferried to this page as part of the onboarding process. At time of writing, versions of this tool were also available (though possibly non-functional) at https://www.facebook.com/?sk=ff and https://www.facebook.com/find-friends/index.php.
This tool is more transparent about its intentions, but it still qualifies as a security mess. Here, Facebook encourages users to enter their email and (email) password in order to “find friends” who are already on Facebook.
Let us be clear: don’t do this. Never give a third-party company, especially one with Facebook’s dismal track record, unrestricted access to credentials for another account. Legitimate services, like password managers, might store your credentials with end-to-end encryption, but they don’t try to access your accounts without your consent. And plenty of websites integrate with single sign-on services from the likes of Google (and, yes, Facebook) using OAuth, a protocol that allows a third-party service to verify a user’s identity without access to their real password. OAuth was standardized nearly a decade ago to put a stop to the exact practice that Facebook has engaged in here.
Facebook’s tool only worked with accounts from a set of “supported” email hosts, including Yandex, GMX, Yahoo, Hotmail, AOL, and Comcast. When we tried to enter an email from an unsupported host, like Gmail, we were informed that Facebook “can't import contacts from this address yet.” Considering Facebook has sparred publicly with Google about contact-export features in the past, it’s unsurprising that Facebook wouldn’t attempt (or Google wouldn’t allow) automatic contact importing using raw credentials from Gmail.
This tool worked the first time we tried it, on April 2, but by April 3, after the story had broken, every email we entered (including the Yandex one) prompted a “can't import contacts from this address yet” message. For now, it appears that Facebook may have shut down the “Find Friends” program as well.
Why is this bad?
Where to begin.
Before we get into the manipulative data import feature, let’s talk about Facebook asking for email credentials in the first place. For all intents and purposes, this is a phishing attack. A company you don’t have a prior relationship with asks you to “confirm your email,” and tries to get you to enter your password into a website that is not your email client. This is the oldest trick in the book.
Phishing attacks commonly target email accounts because they are extremely rich data mines. For better or worse, email accounts often act as de facto digital passports. They connect users to social media, bank accounts, and services like gas, electric, and cable. They can be used to reset passwords for hundreds of services around the Internet. If your email is compromised, everything else about your digital identity is put at risk.
We cannot emphasize this enough: you should not give your email password to websites that are not your email provider or client. In this case, it looks like Facebook “only” wanted users’ contact lists, but that’s a paper-thin justification for the kind of access it demanded.
Tech companies, non-profits, researchers, community educators, and IT departments around the world have devoted millions of cumulative hours — writing countless explainers, giving presentations until their voices have gone hoarse, fundamentally redesigning how trust on the web works with cryptographic certificates and OAuth — all to prevent users from doing exactly this.
And Facebook, in its first interaction with a cohort of newcomers to its service, throws this all out the window. This interaction, and Facebook’s implicit assertion that nothing is out of the ordinary, is conditioning its users to be phished. For a company that is many people’s primary portal to the Internet, that’s downright irresponsible.
But the mis-education of new users is just the first layer of this onion of awfulness. By collecting sensitive information it didn’t need, Facebook put users at risk of future data breaches. Even if the company never intended to store users’ passwords, it’s hard to feel secure given its track record of, well, accidentally storing passwords. (The company said in a statement that “These passwords were not stored by Facebook.”)
Perhaps worst was Facebook’s approach to user consent. The “Confirm Your Email” page gave no context for why Facebook needed an email password and hid information about how to sidestep the process.
Everything about the page led users to believe they had no choice but to enter their email password. And once they did, nothing about the page indicated how Facebook would use it. According to the researcher who discovered it, an older version of the page had a “See how it works” link that led to… nothing. It wasn’t even a link, just a string of text that evoked the idea of one. Before users had the chance to consent to any kind of data collection, Facebook was scraping their email accounts for all of their social connections. This is worse than a typical dark pattern, which might take advantage of people’s tendency not to read fine print. It delivered unwanted behavior that even the most savvy users should not have predicted.
This isn’t the first time the company has collected data for one purpose and used it for another, which is why we’ve demanded that Facebook leave your phone number where you put it. Unfortunately, this probably won’t be the last time, either. Every breach of user trust drives home further what we already know: the company cannot be left to its own devices, and existing enforcement authorities haven’t done enough. In the short term, the FTC should use its power to send a message to Facebook and the rest of the surveillance-driven tech world that unfair and deceptive data gathering has serious consequences. And in the long term, we need strong privacy laws to keep companies in check.
In the meantime, you can take this as an opportunity to educate yourself or your friends and family about phishing with the help of our Surveillance Self-Defense guide. File this one as a textbook example of when to turn and run away.