
Facebook Asking for Some New Users' Email Passwords - sharkweek
https://www.thedailybeast.com/beyond-sketchy-facebook-demanding-some-new-users-email-passwords
======
packetslave
[https://www.axios.com/facebook-will-stop-asking-new-users-
fo...](https://www.axios.com/facebook-will-stop-asking-new-users-for-their-
email-passwords--355c2e94-793f-47b7-a582-9ee0a4f01ae3.html)

 _Facebook told Axios that "a very small group of people have the option of
entering their email password to verify their account when they sign up for
Facebook," but noted that people could choose instead to confirm their account
with a code or link sent to their phone or email.

"That said, we understand the password verification option isn't the best way
to go about this, so we are going to stop offering it,” the company said in a
statement.

Those being asked for their e-mail passwords were users who listed an e-mail
address that doesn't use the secure OAuth protocol, which allows users to
verify their identity to a third party without sharing their passwords._

~~~
dragonsngoblins
And so what if they are going to stop? Why were they offering it in the first
place? It is such an obviously terrible idea

~~~
jammygit
'move fast and break things' ?

~~~
lostlogin
What’s the phase after you’ve moved fast and broken the things?

~~~
helloindia
Done is better than perfect.

~~~
iainmerrick
Shurely “broken is better than slow”?

------
nnq
Last service that I remember asking me for the signup email password was
...wait for it ... _MySpace!_

It was years ago, but it sounds a bit like a _swan song_ pattern to my ears
despite the lack of any rational connection...

...they should find a new WhatsApp or a Snapchat to buy ASAP because sooner or
later they'll be too uncool for people to share the interesting content in
their garden, so their humongous user base's value will start asymptoting to
$0.

~~~
philipov
What is a swan song pattern? Google thinks it's a quilting style.

~~~
3minus1
just look up swan song

------
kyle-rb
I just don't understand how this gets implemented without someone speaking up
and saying "hey, wait, isn't this an insane thing to do?".

I would guess it's some combination of the complainers being ignored, and
people at a higher level thinking "well we're doing this in a secure way, as
long as the user trusts us, and why wouldn't they trust us, we're Facebook!".

~~~
leCapitalist
Easy.

The engineers who built it care mostly about their total compensation and
getting promoted. They therefore gleefully implement the product requirements.

The PMs behind the idea also care about the above, except they are held to
account by business objectives. By narrowly optimizing for a particular
objective (reducing account fraud) in an unprincipled manner, they come up
with an insane feature idea like this.

The lowly L3 engineer fresh out of college understands how crazy this is and
speaks up, but is hammered down by the culture. The decision is quite
literally above their pay grade. They begrudgingly fall in line as they have
the most to lose in this situation.

Finally a story like this breaks and upper management realizes the
contradiction with the narrative that they're trying to create - that Facebook
really does care about your privacy. The whole project gets scrapped, and by
the time it's all said and done, over $1M is wasted.

Welcome to life at a big tech company.

~~~
Traster
I find it fascinating how big tech companies are intent on spending enormous
sums of money seeking out the top tech talent in the world. Then rather than
listen to them when they voice concerns they try to beat them down into
submission. I get that if you worked at a company whose core mission is evil
that you just have to accept that when you sign up, but there's no reason
facebook _needs_ to be make these active moral choices to pursue things in the
worst possible way and yet they consistently do.

~~~
nstart
That's exactly why they spend that much money. They know you can be submitted.
They want tech talent. Not revolutionists. It's a rough world out there and
it's better to get in line than lose your pot of gold.

Doesn't make it right at all. But if you were that engineer, it's easier to
say to yourself that you'll work your way up and change things the day you are
in charge.

~~~
_jal
It is kinda funny when you tell their headhunters you will never work for them
because they don't meet your ethical standards. I highly recommend the
experience.

~~~
circular_logic
We're they confused, angry or both?

~~~
_jal
Confused at first, and then eager to get off the phone.

------
emilsedgh
I think Facebook is _very_ desperate and they don't seem to have a choice.

You see, Facebook has Facebook.com, Instagram and Whatsapp.

Facebook.com has already reached it's peak and is not going to grow.

Instagram is likely to have the same trajectory as Facebook.com and Whatsapp
is not making them money anyways.

They failed to get into _any_ new market or come up with _any_ decent product.

And they are supposed to compete with Google, which is competing on all fronts
with extremely competitive offerings.

* Google Search

* Gmail

* Android

* Youtube

* Chrome

* Chrome OS

* Google Drive

* Google Analytics

* Google Docs

* Google Cloud

* Google Apps

* Google Maps

And they seem to be constantly trying new things (Stadia seems to have a
really good chance to compete with PS and Xbox and get them a holding in
gaming)

And Facebook keeps pushing out pathetic moves like this and all their
acquisitions that were supposed to help them get into new markets and sectors
(Oculus, Parse, etc) seem like failures.

Acquisition of Instagram bought them another 10-15 years and they should be
just very lucky to keep making the right call and buy the next Instagram)

~~~
passalong2019
> extremely competitive offerings

Chrome OS

Have you followed news recently? It's dead.

~~~
xerosis
Genuine question as I don't: what news?

------
hn_throwaway_99
All of these types of "hey, give us your password to this other system" are
just training users to get phished.

IMO the worst offender in this is Plaid, which has created a service where
millions of people are giving their _banking credentials_ so some random
startup can mine your transaction data. And people think FB has privacy
implications...

~~~
tapland
Swedish payment processor Klarna does something similar to this as well. If
bying something through the platform by direct bank transfer you are asked to
sign to your bank to accept the payment using BankID [0], which is normal.

What is not normal is that they grab your personal identification number and
send a login request using BankID before you open your app. When
authenticating the login you authorize one of Klarnas third parties to log
into your bank account as you, allowing them to pull records of all your
financial transactions, account statements etc. Most users just authenticate
the login without reading where the request is coming from on the login
prompt.

I don't understand how that can be legal, but they are relying on recent court
cases where scammers would call old people asking them to log on to check
their retirement accounts. The scammers would then send a login request before
the user sent theirs, log on to the accounts and change what funds received
the victims pension payments. The scammers were ruled in the wrong, but the
logins themselves were ruled to be an ok way of doing business.

[0]
[https://en.wikipedia.org/wiki/Electronic_identification#Swed...](https://en.wikipedia.org/wiki/Electronic_identification#Sweden)

~~~
Benjamin_Dobell
POLi in Australia also asks for your bank username and password, logs into
your bank's online portal, and performs a bank transfer on your behalf; which
is of course in violation of the bank's policies.

It's truly insane, if I see any company accepting payment via POLi it's
instant verification the company in question is clueless and that I should
avoid using their services whenever possible, because they have _zero_ idea
about security.

According to POLi[1][2], the list includes:

Qantas, Jetstar, Virgin Australia, Microsoft (?), Sportsbet, Emirates,
BetEasy, CoinSpot, Australia Post, TigerAir, Facebook (?)

The list goes on. It's pure madness.

I really wish there was more awareness of this, I can't believe these massive
companies can't comprehend how they're being implicated when they encourage
users to hand over their _banking_ password to a third party.

[1] [https://www.polipayments.com/](https://www.polipayments.com/) [2]
[https://www.polipayments.com/Buy#matrix](https://www.polipayments.com/Buy#matrix)

~~~
Nullabillity
Trustly does this, too.

~~~
tapland
Not sure about that. I used trustly last week and only had one authentication
that was for the actual payment. No login to my bank.

But I might be misremembering.

------
wodenokoto
Hey, this is like 10 years ago, when both facebook and linkedin were pestering
you to give them your e-mail password, so they could import all your contacts.

We really haven't moved forward at all!

------
ma2rten
In the old days didn't lots of people give their email passwords to Facebook,
so that it can scan their contact and invite everyone to Facebook?

~~~
bArray
Not sure about them previously asking for email passwords, but there are many
email APIs that can give permissions access to your contacts [0]. I don't
doubt that in the older days of Facebook they were probably achieving this
using some shadier methods.

But worse than this, just by installing the Facebook App it liberally takes
contact details from your device [1].

I personally use mbasic.facebook.com as it can run without JS and only updates
when you refresh the browser. facebook.com refuses to run without JS and
causes my browser to use tonnes of resources when JS is enabled.

(P.S. Like many, I can't completely abandon Facebook just yet as lots of older
friends and family are "unable" to migrate to other platforms.)

[0]
[https://developers.google.com/contacts/v3/](https://developers.google.com/contacts/v3/)

[1] [http://www.androidbeat.com/2018/03/facebooks-android-
stealin...](http://www.androidbeat.com/2018/03/facebooks-android-stealing-
contacts-call-logs-sms-data-years/)

~~~
jaimehrubiks
I didn't know about mbasic facebook, it is awesome! Thank you. It even works
the chat without needing to put the phone in desktop mode.

------
dmitryminkovsky
Doesn’t this ask the user to violate the terms of service of their own email
platforms, assuming most email providers prohibit you from sharing passwords?

~~~
lostmyoldone
Almost certainly.

------
alex_young
Some habits are hard to get over I guess. Remember when Mark Zuckerberg
(allegedly) used FB data to hack into the email accounts of journalists
reporting on him? [0]

Why trust him now?

[0] [https://www.businessinsider.com/how-mark-zuckerberg-
hacked-i...](https://www.businessinsider.com/how-mark-zuckerberg-hacked-into-
the-harvard-crimson-2010-3?r=US&IR=T)

------
js2
I recently learned that when you connect your Paypal account to your checking
account, there's two verification methods you can choose between: 1) the good
old fashioned, we'll make two small deposits into your account, tell us what
they are; and 2) just give us the login info for your bank's web site.

But Mint works the same way, doesn't it?

~~~
0xffff2
I believe most if not all legitimate companies that ask for your banking
credentials (besides your bank, obviously) are just passing them straight to
[https://plaid.com/](https://plaid.com/). It's still questionable whether you
should trust Plaid with your banking credentials, but at least you probably
don't need to trust that Paypal and Mint are both going to store your
credentials securely.

~~~
bpicolo
> but at least you probably don't need to trust that Paypal and Mint are both
> going to store your credentials securely.

Sure you do. They have it in plaintext on their servers. It can end up in
logs. It's also not just Plaid - Mint uses Intuit, Yodlee is an option.
There's a whole lot of people you need to trust to use these services

For many banks, it also means you need to disable 2fa on your banking account,
so using these services directly weakens your security.

------
jrockway
I wonder what Facebook would do if I created a site that "verifies your
identity" by having the user type in their Facebook password.

It just seems like an unwritten rule that sites are not to ask users for other
sites' passwords. It's basically phishing.

~~~
jobigoud
I think there are many services for social media that ask for your account
password so they can post in your name on Instagram or Twitter when you post a
Youtube video or whatnot. Not to mention the shadier services that do the
follow-unfollow dance.

------
jaimex2
What hypocrites.

They certainly don't like it when you do it to them.
[https://www.gizmodo.com.au/2018/08/facebook-wanted-us-to-
kil...](https://www.gizmodo.com.au/2018/08/facebook-wanted-us-to-kill-this-
investigative-tool/)

------
Causality1
Facebook has never faced significant financial consequences for its misdeeds.
You can be assured it will continue to hold its users privacy and security as
distant second place priorities to how much money it can make off them. If you
want a company not to be evil you have to make being evil more expensive than
being good. Nobody is willing to do that so the shit-show will continue for
the foreseeable future.

------
speeq
Oh, did they stop asking for nudes yet?

[https://www.bbc.com/news/newsbeat-44223809](https://www.bbc.com/news/newsbeat-44223809)

~~~
giancarlostoro
I'm starting to miss MySpace.

------
samtrack2019
The sad story of people is that they give their email password to everyone who
are asking, I keep telling my friends that please don't tell me your password
and just type it but they keep laughing at me i.e: stop it! you and your crazy
tin hat. it's the sad reality really.

------
fattire
Could someone please set up a honeypot IMAP server to detect illegal Facebook
logins?

------
danielscrubs
I noticed that when I was dating around it was extremely important that they
could find my Facebook profile if I said I don't use Facebook much they would
immediately respond with scepticism.

For that purpose alone I kept it.

And they have a point, it's easy to find out if someone is single or not via
Facebook, and you are bound by your friends to be truthful.

I'm not single anymore, but I'm still curious, in those countries where
everyone is not sleeping around with everyone what would replace Facebook?

~~~
atulvi
> countries where everyone is sleeping around with everyone I want to know
> where these are

~~~
orbifold
France obviously:)

------
skilled
Just when you think these idiots couldn't come up with any more dumb shit.

------
nathan_long
Verifying a user's email by collecting their password is ineffective for users
with 2FA enabled and reckless/malicious for those (the majority) without it.

Accidentally log that data somewhere, and you've opened a way for attackers to
take over your users bank accounts, social media, and pretty much every other
online account, as they all rely on email verification.

If we had privacy laws with teeth, somebody at FB would be calculating how
many millions in liability each piece of data collected represents. This one
would be astronomical and an automatic "no" by those calculations.

------
mithr
If this is really for the purpose of email verification, I can't even begin to
fathom what they were thinking. Asking for users' email credentials is
terrible, but even requiring that they log in using OAuth is ridiculous!

Verifying email addresses is a solved problem that doesn't require _any_ of
that... you just send a time-sensitive, signed link containing a unique
identifier to that email address, and users click it to verify their address.

I really can't understand why they would choose to go a different way -- and
particularly _this_ one.

------
jayalpha
Hey, this is great news. This is like linkedin. Who does not appreciate this
never ending stream and connection invites to non Linkedin users?

------
PunksATawnyFill
NEVER force people to use an E-mail address as a user ID. Doing so is amateur-
hour and straight-up STUPID: [https://goldmanosi.blogspot.com/2012/06/forcing-
people-to-us...](https://goldmanosi.blogspot.com/2012/06/forcing-people-to-
use-e-mail-address-as.html)

~~~
methodover
Credential stuffing is a huge problem.

I am not sure if allowing users to use non-email addresses as a user-name
helps solve that problem, though. I would be interested in reading research on
the subject.

------
slics
It’s interesting to note, that in order for a feature or capability to be
implemented, it has to provide value to the end user. So at the planing phase
of this feature, didn’t anyone in their right mind thought that this was a bad
idea. Given the current situation that Facebook (Fakebook) is in with security
missteps why even invest time and money just to hope that users (at least the
ones that are concerned) won’t complain. Hope it’s not a strategy.

------
26a2o4
>Facebook is demanding some users fork over the password for their outside
email account as the price of admission to the social network

What a dishonest article. Facebook is not demanding users to give them the
password to their email to be able to use the network. Instead, it looks like
they are giving the option of doing so to verify the email address, but you
can still go the traditional route of verifying your email by clicking a link.

~~~
thinkingemote
Interesting take. The article says what happens it doesn't hide the process.
The user is presented with a dialog box asking for their external email
password and the article states that the user by clicking the small "need
help?" Link in the corner can ask for other traditional methods. Nothing
dishonest in the article.

------
fimdomeio
The question here rather than why are you asking for mail passwords is what is
facebook doing with the passwords? All possible answers seem creepy as hell.

------
christkv
All corporations are fundamentally feudal systems. At a big enough scale they
all become some twisted form of the Franz Kafka novel The Castle.

------
u801e
On a somewhat related note, I recently added an external bank account to my
E-trade account. They gave me two options for verifying it. The first was to
make a small deposit into the external account (which they said would take
several days to complete). The second option was to provide my bank account's
credentials and they could verify it immediately. I chose the first option.

------
yalogin
Doesn’t a lot of the social networks do this? Linkedin used to ask for email
password all the time at one point, don’t know if they still do. Mint and
others want passwords to bank accounts. I know we are a bit more sensitive I e
about privacy but the general population is still not. I can understand
Facebook needs to be extra cautious now but I guess they don’t care.

------
megous
I don't get the outrage. No comment mentions this, but most non-tech people
already give Facebook their e-mail password. All Facebook needs to do is try
to use it.

Lookup the password re-use rates among users of the Internet.

People may have weak and strong password for less and more important services.
Guess how would they rate the Facebook...

------
GistNoesis
How did they make it work? Even given the passwords, how would they check
robustly without tripping the email "unusual connection from IP x.x.x.x". Even
if they have a few IP to make the checks, the mail server may notice that one
IP is connecting to thousands of accounts.

------
MagicPropmaker
I don't understand how they can login for you on any of the popular email
providers.

Gmail, for example, detects a new computer by cookie and "fingerprint" (ip
address, browser, UA, etc). You then get 2fa'd or at least "robot checked".

How did they make this a smooth experience?

~~~
javagram
According to the article it was only offered to a subset of providers that
don’t have OAuth APIs.

Presumably google and other high security email providers got the OAuth option
and this more insecure option was offered to users with ESPs that don’t have
the gmail security features you mentioned.

------
908087
This must be part of Zuckerberg's new pro-privacy makeover.

Maybe they can also scan users' e-mails for "suicidal ideation" and have their
swatting algorithm send in the police to "protect" them.

~~~
headsoup
It is perhaps the way you've presented the argument that is generating
downvotes, but I fail to see how this is outside the realm of Facebook's
pursuits given past behaviour and current activity.

Or is it that people would support this use because of a 'noble intention?'
(ends justify means)

~~~
dylan604
Would Facebook then start making calls to the police for welfare checks when a
user stops using Facebook without closing their account? Surely, something
must have happened to the user if they stopped logging in frequently. After
all, users don't just stop using the service.

------
hgasimov
The answer is simple. They don't care about moral side of their actions and
government doesn't want to take any serious action about that. I would be
surprised if they stopped doing so.

------
zelon88
> "...so we are going to stop _offering_ it,” Facebook wrote.

Stop patronizing us. Seriously, you look foolish and ignorant. Drop the
marketing speak and own your screw-up.

------
thefounder
They did it before and to be fair Facebook knows better what they are doing.
People are generally "ignorant" and don't care so why not?

------
ubermonkey
It remains true that no one should ever ask for your password.

Simply asking for my password is enough to make me distrust you forever.

------
sleepybrett
Jesus fucking christ facebook, read the goddamned room.

------
deanclatworthy
What am I missing here? I have to type my password when I log in to Facebook.
They are probably storing a hash of each of the users passwords (after
changes) and then comparing against index[0]?

~~~
tragic
They're asking for the password to your _email_ account, not your Facebook
account.

~~~
deanclatworthy
So what are they doing with that? How can they verify it? Are they actually
logging into your email account with that? Surely (BigCompany) measures would
prevent that?

~~~
icebraining
> So what are they doing with that? How can they verify it? Are they actually
> logging into your email account with that?

Well, of course.

> Surely (BigCompany) measures would prevent that?

What do you mean?

------
missingcolours
Title seems misleading. Per the article it seems they demand email
confirmation, but merely offer to access your email for you in order to
accomplish that.

(This is not a defense of Facebook's actions here)

~~~
ardy42
> Per the article it seems they demand email confirmation, but merely offer to
> access your email for you in order to accomplish that.

It's definitely a dark pattern though. And Facebook rarely seems content to
only use data for the purpose they advertise when asking for it. For instance,
there was an article recently that proved they were using phone numbers
collected for 2FA to do ad-targeting as well.

------
aqibgatoo
Facebook is cancer

------
auslander
Linkedin asks you to do the same at every page.

~~~
icebraining
I never gave mine, and haven't seen that in years. Not that I think they're a
decent company.

------
subbz
Late april fools?

------
qwerty456127
WTF

------
Crontab
"They trust me — dumb fucks" ~ Mark Zuckerberg

------
sarashawqy1
why

------
joering2
Honest question - is it the time for a new social network already??

~~~
baroffoos
There already are new social networks. Why aren't you using them?

~~~
UweSchmidt
Network effects keep people in place. Switching social networks would need a
bit of a movement, which OP maybe wanted to low-key initiate?

The next social network would also have to provide the simplicity, performance
and features people expect, while showing real, understandable improvements in
terms of privacy or the economic model (e.g. no risk being bought by Facebook
like WhatsApp).

In general, 'new social networks' seem rarely discussed, here in HN or
elsewhere; can you maybe name a few of the options you have in mind?

------
raverbashing
Congratulations, Zuckerberg just beat Gates in complete lack of Ethical
behaviour

~~~
SmellyGeekBoy
Just?

------
fareesh
How is this even implemented safely?

The passwords have to be forwarded over to the email provider, so they are
flying around log files, unsafe in the database. There's actually a programmer
somewhere who can read all of them and put them in a text file and take them
home.

~~~
icebraining
In theory, the password doesn't have to be stored at all. I bet it's kept in
some sort of job queue, so it might be stored in disk (e.g. Redis AOF), but
even that could be avoided.

Still, one has to wonder why do it at all, considering the simple alternative
of sending a verification email, which was already implemented.

~~~
fareesh
Isn't the motive to get the user's contact lists?

If there's an error isn't there a chance that the password leaks out into an
error log somewhere?

~~~
icebraining
> Isn't the motive to get the user's contact lists?

Probably, yeah.

> If there's an error isn't there a chance that the password leaks out into an
> error log somewhere?

Sure; there are ways of avoiding that, but who knows what they did.

------
kevin_thibedeau
I had someone create a Facebook account with my email once. I let it persist
for a year until I got tired of the friend request notices. Did a password
reset and deleted the account.

~~~
procinct
Did you verify the email for them?

~~~
Marsymars
I'm not sure how rigorous email verification workflows are in general. I had
someone manage to transfer their Apple account to one of my emails a few years
ago.

