[ad_1]
Facebook is asking some new users to provide the social network with the pbadword for their email accounts, which security experts say has security implications – and that could teach people to adopt "risky" behavior " online.
In general, security experts encourage users to never disclose their pbadwords, or to integrate them with services other than those for which they are intended, in order to avoid the risk of "attacks". phishing "which results in theft of pbadwords and personal information.
But on Facebook, when users try to register with certain email providers, including Yandex and GMX, they are asked to "confirm your email address" by entering their pbadword directly into Facebook, as previously reported by The Daily Beast.
Users of other email providers such as Google Mail do not see this option because it uses the OAuth Authorization Tool, a common tool to verify your identity in a secure way without you having to enter your pbadword as Facebook does here.
Business Insider also found that if a new user chooses to enter their email account pbadword in Facebook, a pop-up window appears telling them Facebook is "importing contacts" – although the user does not. did not ask. It's not immediately obvious that this tool really does matter these contacts because it apparently has not extracted the entries from the contact list we created for testing purposes, although these contacts do not date only a few minutes.
Reaching a comment, a Facebook spokesman said the company was now removing this feature, although the company has not provided a schedule.
"It's almost impossible to distinguish a phishing attack"
Bennett Cyphers, a security researcher with the Electronic Baseier Foundation's advocacy group, strongly criticized Facebook's actions. "It's fundamentally impossible to distinguish by a phishing attack," he said during a phone call, noting that users are usually asked never to provide their pbadwords to anyone other than the site. from which they were created.
"It's bad on many levels." It's an excessive nonsense on Facebook's part and a suspicious attempt to deceive people so that they send data on their contacts to Facebook as the price of the listing. Even if you agree to upload your contact information on Facebook, never have to put your email pbadword to do it, "Cyphers wrote in a follow-up email.
"No company should ever ask for such identification information from people, and you should not trust anyone who does it." That goes against all the misconceptions about security , basic decency and common sense, "he wrote.
Troy Hunt, a security expert and hacker notification service operator Ive Iwww was warned, was also essential. "It's certainly an anti-security model in that it involves sharing the secrets of one platform (the email provider) with another (Facebook)," he writes in a email.
"While Facebook would certainly take precautions to protect the pbadword of the email account, this does not seem necessary when there is an easy alternative (that is, the approach taken with Gmail accounts) and it forces people to engage in risky behavior, "he wrote.
The pbadword entry form states that Facebook does not store pbadwords, but there is no way to conduct an independent audit and confirm that this is the case. Recently, it was revealed that the company was storing hundreds of millions of plain text user pbadwords in violation of current security best practices.
In a statement, a spokesman for Facebook said: "These pbadwords are not stored by Facebook.A very small group of people has the opportunity to enter their pbadword to check their account when they first registered on Facebook. Facebook, instead choose to confirm their account with a code sent to their phone or a link sent to their email address. "
The spokesman added, "That said, we understand that the pbadword verification option is not the best way to proceed, so we will stop offering it."
Do you have a tip? Contact this reporter via the encrypted Message Encryption application at +1 (650) 636-6268 using a nonprofessional phone, send an email to [email protected], Telegram or WeChat to robaeprice, or Twitter DM to @robaeprice. You can also contact Business Insider securely via SecureDrop.
[ad_2]
Source link
