dChan
Anonymous ID: 7a8fc3 April 4, 2019, 9:52 p.m. No.6054950   🗄️.is 🔗kun   >>5187 >>5313 >>5462 >>5514

Facebook Got Caught Phishing For Friends

 

Once again, Facebook is in the news for bad security practices, dark design patterns, and secretly reappropriating sensitive data meant for “authentication” to its own ends. Incredibly, this time, the company managed to accomplish all three in one fell swoop.

 

What happened?

Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on Twitter, the unnervingly phishing-like process worked like this: any user who tried to create a new account on Facebook with an email from one of a few providers (including Yandex and GMX) was directed to a page that asked them to “Confirm [Their] Email”–by entering their email password.

 

Soon after the news was reported more widely by The Daily Beast and Business Insider, Facebook discontinued its verify-with-password program. EFF was made aware of the sign-up flow before the stories were published. Armed with a burner Yandex email and a fresh browsing session, we were able to experiment with the password-grabbing tool briefly before it was shut down.

 

First, we observed that when we clicked on the “Connect to yandex.com” button, our email and password were sent directly to Facebook. Do not pass go, do not “Connect” to the third-party service the password belongs to. Facebook might not have stored our password, but it certainly saw it.

 

At a glance, there didn’t appear to be any way to avoid signing up without compromising our email password in this way. However, in the background, the company had already sent a traditional “confirmation email” to Yandex. We could have closed this signup window, gone to our email, and opened the link from there. Boom, done, we’d be “Confirmed.” But oddly, we didn’t see any indication of that on the “Confirm” page at first. We had to click on “Need Help” in order to see a dialog informing us that, actually, there was no need for a password at all….

 

https://www.eff.org/deeplinks/2019/04/facebook-got-caught-phishing-friends