Once again, Facebook is in the news for bad security practices, dark design patterns, and secretly reappropriating sensitive data meant for “authentication” to its own ends. Incredibly, this time, the company managed to accomplish all three in one fell swoop.
What happened?
Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on Twitter, the unnervingly phishing-like process worked like this: any user who tried to create a new account on Facebook with an email from one of a few providers (including Yandex and GMX) was directed to a page that asked them to “Confirm [Their] Email”--by entering their email password.
Soon after the news was reported more widely by The Daily Beast and Business Insider, Facebook discontinued its verify-with-password program. EFF was made aware of the sign-up flow before the stories were published. Armed with a burner Yandex email and a fresh browsing session, we were able to experiment with the password-grabbing tool briefly before it was shut down. (...)
The Plot Thickens
In a statement, Facebook said it gave people “the option” to enter their password in order to verify their account. But why did the company build this tool at all? Asking for passwords you don’t need is a classic security anti-pattern: a commonly reinvented, bad solution to a common problem. Facebook is a huge company with plenty of security engineers on its payroll. Surely someone must have identified this as a terrible idea. And users around the web are familiar with the need to verify accounts with a click in a confirmation email; there was no reason to reinvent the wheel.
So why was Facebook’s design so intent on getting users to input their passwords?
It makes more sense in the context of what happened next.
When we clicked “Connect to yandex.com,” an overlay with a status bar appeared. “Authenticating,” it said. But wait—“Importing contacts?” When did that happen? What? How? Why??
Somewhere in a cavernous, evaporative cooled datacenter, one of millions of blinking Facebook servers took our credentials, used them to authenticate to our private email account, and tried to pull information about all of our contacts.
After clicking Continue, we were dumped into the Facebook home page, email successfully “confirmed,” and our privacy thoroughly violated. (...)
Uninformed non-consent
But the mis-education of new users is just the first layer of this onion of awfulness. By collecting sensitive information it didn’t need, Facebook put users at risk of future data breaches. Even if the company never intended to store users’ passwords, it’s hard to feel secure given its track record of, well, accidentally storing passwords. (The company said in a statement that “These passwords were not stored by Facebook.”)
Perhaps worst was Facebook’s approach to user consent. The “Confirm Your Email” page gave no context for why Facebook needed an email password and hid information about how to sidestep the process.
Everything about the page led users to believe they had no choice but to enter their email password. And once they did, nothing about the page indicated how Facebook would use it. According to the researcher who discovered it, an older version of the page had a “See how it works” link that led to… nothing. It wasn’t even a link, just a string of text that evoked the idea of one. Before users had the chance to consent to any kind of data collection, Facebook was scraping their email accounts for all of their social connections. This is worse than a typical dark pattern, which might take advantage of people’s tendency not to read fine print. It delivered unwanted behavior that even the most savvy users should not have predicted.
What happened?
Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on Twitter, the unnervingly phishing-like process worked like this: any user who tried to create a new account on Facebook with an email from one of a few providers (including Yandex and GMX) was directed to a page that asked them to “Confirm [Their] Email”--by entering their email password.
Soon after the news was reported more widely by The Daily Beast and Business Insider, Facebook discontinued its verify-with-password program. EFF was made aware of the sign-up flow before the stories were published. Armed with a burner Yandex email and a fresh browsing session, we were able to experiment with the password-grabbing tool briefly before it was shut down. (...)
The Plot Thickens
In a statement, Facebook said it gave people “the option” to enter their password in order to verify their account. But why did the company build this tool at all? Asking for passwords you don’t need is a classic security anti-pattern: a commonly reinvented, bad solution to a common problem. Facebook is a huge company with plenty of security engineers on its payroll. Surely someone must have identified this as a terrible idea. And users around the web are familiar with the need to verify accounts with a click in a confirmation email; there was no reason to reinvent the wheel.
So why was Facebook’s design so intent on getting users to input their passwords?
It makes more sense in the context of what happened next.
When we clicked “Connect to yandex.com,” an overlay with a status bar appeared. “Authenticating,” it said. But wait—“Importing contacts?” When did that happen? What? How? Why??
Somewhere in a cavernous, evaporative cooled datacenter, one of millions of blinking Facebook servers took our credentials, used them to authenticate to our private email account, and tried to pull information about all of our contacts.
After clicking Continue, we were dumped into the Facebook home page, email successfully “confirmed,” and our privacy thoroughly violated. (...)
Why is this bad?
Where to begin.
Before we get into the manipulative data import feature, let’s talk about Facebook asking for email credentials in the first place. For all intents and purposes, this is a phishing attack. A company you don’t have a prior relationship with asks you to “confirm your email,” and tries to get you to enter your password into a website that is not your email client. This is the oldest trick in the book.
Phishing attacks commonly target email accounts because they are extremely rich data mines. For better or worse, email accounts often act as de facto digital passports. They connect users to social media, bank accounts, and services like gas, electric, and cable. They can be used to reset passwords for hundreds of services around the Internet. If your email is compromised, everything else about your digital identity is put at risk.
We cannot emphasize this enough: you should not give your email password to websites that are not your email provider or client. In this case, it looks like Facebook “only” wanted users’ contact lists, but that’s a paper-thin justification for the kind of access it demanded.
Tech companies, non-profits, researchers, community educators, and IT departments around the world have devoted millions of cumulative hours — writing countless explainers, giving presentations until their voices have gone hoarse, fundamentally redesigning how trust on the web works with cryptographic certificates and OAuth — all to prevent users from doing exactly this.
And Facebook, in its first interaction with a cohort of newcomers to its service, throws this all out the window. This interaction, and Facebook’s implicit assertion that nothing is out of the ordinary, is conditioning its users to be phished. For a company that is many people’s primary portal to the Internet, that’s downright irresponsible.
Where to begin.
Before we get into the manipulative data import feature, let’s talk about Facebook asking for email credentials in the first place. For all intents and purposes, this is a phishing attack. A company you don’t have a prior relationship with asks you to “confirm your email,” and tries to get you to enter your password into a website that is not your email client. This is the oldest trick in the book.
Phishing attacks commonly target email accounts because they are extremely rich data mines. For better or worse, email accounts often act as de facto digital passports. They connect users to social media, bank accounts, and services like gas, electric, and cable. They can be used to reset passwords for hundreds of services around the Internet. If your email is compromised, everything else about your digital identity is put at risk.
We cannot emphasize this enough: you should not give your email password to websites that are not your email provider or client. In this case, it looks like Facebook “only” wanted users’ contact lists, but that’s a paper-thin justification for the kind of access it demanded.
Tech companies, non-profits, researchers, community educators, and IT departments around the world have devoted millions of cumulative hours — writing countless explainers, giving presentations until their voices have gone hoarse, fundamentally redesigning how trust on the web works with cryptographic certificates and OAuth — all to prevent users from doing exactly this.
And Facebook, in its first interaction with a cohort of newcomers to its service, throws this all out the window. This interaction, and Facebook’s implicit assertion that nothing is out of the ordinary, is conditioning its users to be phished. For a company that is many people’s primary portal to the Internet, that’s downright irresponsible.
Uninformed non-consent
But the mis-education of new users is just the first layer of this onion of awfulness. By collecting sensitive information it didn’t need, Facebook put users at risk of future data breaches. Even if the company never intended to store users’ passwords, it’s hard to feel secure given its track record of, well, accidentally storing passwords. (The company said in a statement that “These passwords were not stored by Facebook.”)
Perhaps worst was Facebook’s approach to user consent. The “Confirm Your Email” page gave no context for why Facebook needed an email password and hid information about how to sidestep the process.
Everything about the page led users to believe they had no choice but to enter their email password. And once they did, nothing about the page indicated how Facebook would use it. According to the researcher who discovered it, an older version of the page had a “See how it works” link that led to… nothing. It wasn’t even a link, just a string of text that evoked the idea of one. Before users had the chance to consent to any kind of data collection, Facebook was scraping their email accounts for all of their social connections. This is worse than a typical dark pattern, which might take advantage of people’s tendency not to read fine print. It delivered unwanted behavior that even the most savvy users should not have predicted.
