By Bennett Cyphers and Jason Kelley | 4 April 2019
ELECTRONIC FRONTIER FOUNDATION — Once again, Facebook is in the news for bad security practices, dark design patterns, and secretly reappropriating sensitive data meant for “authentication” to its own ends. Incredibly, this time, the company managed to accomplish all three in one fell swoop.
Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on Twitter, the unnervingly phishing-like process worked like this: any user who tried to create a new account on Facebook with an email from one of a few providers (including Yandex and GMX) was directed to a page that asked them to “Confirm [Their] Email”–by entering their email password.
Soon after the news was reported more widely by The Daily Beast and Business Insider, Facebook discontinued its verify-with-password program. EFF was made aware of the sign-up flow before the stories were published. Armed with a burner Yandex email and a fresh browsing session, we were able to experiment with the password-grabbing tool briefly before it was shut down. […]