Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Hey, everybody. How are you doing today? Welcome to the show in this episode. We're gonna talk about Facebook and absolutely horrible privacy and information security practices. Again, I, I can't even guys, I can't even, we are 100 and some, almost 200 episodes in the mornings with Mark.
I have talked about Facebook too many times and I didn't want to talk about Facebook today, but I have to because there was a report that surfaced, um, that highlighted a practice how Facebook is implemented, uh, when you're signing up for new accounts.
And apparently it's been in place for almost three years now. Most of us didn't notice this because we've had Facebook accounts since the beginning. Unfortunately, and we've seen scandal after scandal come out from Facebook. But what they were doing here is just ridiculous.
I don't know how any anyone let this get by from a privacy perspective, from a security perspective, let alone why people would actually tolerate. This is a requirement to sign up for an account. And I think it really shows the fact that people signing up for accounts feel like they don't necessarily have the choice.
Facebook has just gotten too big, there's too much going on in the platform to ignore it. So here's what happened. Uh So a security researcher highlighted the fact that when you sign up for Facebook with the email address that they've never seen before, they prompt you for your email password.
Yeah, let that sink in for a second. They're prompting you for your personal email password in an attempt to verify that it's your email account. Ok. Not asking you to set a Facebook password, literally asking you for your email password. That is wrong.
Just flat out wrong. There's no wiggle room on that. The requirement to verify your email totally get that most uh services mailing lists being the most prominent among them have that requirement. You know how you do that? You send somebody an email nice and easy.
You send a individually customized expiring link to that email address, ask them to click on it to bring it back to the service. So you verify that they actually own and have access to that account. You do not ask them for their password.
Obviously, there's a major issue here if you ask them for their password. Now you have their password, you can do anything you want with their email and for users what a massive breach of your privacy and security because almost every account you own will let you reset the password through your email account.
It's a huge single point of failure for most of our operational security, but Facebook was actually asking you for this password and people were giving it to them great time to remark the fact that you should never give your password out to anybody ever under any circumstances.
End of sentence, end of statement. Never. When support says, hey, we need your password. No, no, you don't reset it, go through and then you can, uh, generate a new password, never give them your password. Uh Just standard security 101. Never give anybody your password to anything ever done point for now.
So Facebook was doing this and their biggest mea culpa here was, well, we know it was kind of bad practice, but we're sorry that we were scraping your email contacts without letting you know that was an unintentional oversight given that we used to allow you the option of importing your contacts.
What? No, no, that, yes, that's bad. Horrible. Absolutely. You shouldn't be importing contacts without people's permissions. You shouldn't be prompting them to continue to import their contacts in any circumstances because we've all seen the avalanche of new social media network spam that generates from that, but to ask them for their password.
So obviously, I'm freaking out about this from a security perspective even though it's been going on for three years just because it's such an atrociously wrong practice. But let's take uh our evil hats on for a second or maybe not our evil hats that might not be fair.
But why would you ever generate a feature like this in the first place? And I think the answer is in this contact slurping activity trying to suck in everybody's contacts in order to get more people onto the platform and to give new users a better experience because they're connected uh offering connections to people that they know.
Well, trying to walk somebody through how to export the contacts out of their email. Um account is actually a really pain in the butt. You gotta figure out are they using something like gmail? Are they using something um custom? There's a whole bunch of complexities here that you need to figure out and to try to walk people through the help documentation would be monstrous.
So of course, it's easier just to say, hey, give me your password, but this leads me to my key takeaway point for everybody. Um So out of rant mode into advice mode because I was trying to give you guys something practical here on mornings with Mark just because it's maybe the easier way to do something doesn't mean you should breach fundamental security protocols.
If something is fundamental is never ask people for their passwords. Uh It's something you have to break. So you have to ask people for their passwords to build a feature, you're probably building the wrong feature, right? You need to come out and give a trade off and say, look, we can't implement this feature because it would break fundamental security at some point, developers, engineers, people who are building technology, we need to put our foot down and say, no, no, we can't do this.
This is gonna open up way more exposure than it's worth. This is not a good practice. This is not something we want to encourage within our digital communities. That's my takeaway. I can't go on any longer with this because I will just continue to rant.
I'm sure you have comments. I'm hoping they're all gonna be, ah, I agree with you. Uh Hit me up online at Mark NC A in the comments down below. And as always by email me at Mark N dot ca, I hope you're set up for a fantastic day, a great weekend and I will see you on the next episode of the show where hopefully I will be calmer, take care.
