e-sushi

e-sushi kicks Facebook
for Facebook’s password fishing practices

This is just one of many examples of e-sushi being mentioned in international press.

e-sushi’s tweet on March 31, 2019

Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you‘re practically fishing for passwords you are not supposed to know!

what happened

In simplest words: Facebook was asking users who were registering at their website, to provide the password of their email provider “for verification purposes”. Yes, they were actually fishing for that password you use in your email client to access your email account.

Anyone having your email account password has full access to your email account. They can not only read your contacts, but also all your emails. Also, having your email password they can even send email from your account – which makes it easy impersonate you. And let’s not forget about the fact that services like Google use that password to let you access all of their services, which means that anyone having your “Gmail” email acount password could access most of your online life (Gmail, Google Calendar, Google Docs, YouTube, etc.).

Such an implementation is practically a security nightmare, especially when coming from a large company like Facebook – which is commonly known to have a bit of a history related to privacy scandals and security events. Besides… asking for 3rd party passwords is about the wrongest way to “verify” a new user. In fact, it’s what malicious hackers do when they send you emails in an attempt to make you go to a site to provide your credentials (known as “phishing”). But this wasn’t some bad hacker trying to trick you into visiting a fake login form. It was Facebook, who was bluntly fishing for email account passwords out in the open!

disclosure problems when dealing with Facebook

As a logic consequence of Facebook’s privacy invading and security-lacking implementation, I could not sign up for a Facebook account unless I’d share my personal email password – which I wasn’t planning to do.

Problem is, having a Facebook account is a requirement to access their whitehat program and to use their online disclosure form. Since I could not report things to Facebook in the usual “responsible disclosure” way without impacting my own, personal security and privacy while attempting to do so, they practically left me with no other option than to drop my finding in public at Twitter. I mean, I sure wasn’t going to give Facebook my personal email password just to be able to report to them that asking for such passwords is something no company should be doing.

In the end, my tweet turned out to be the only way to make Facebook take down their implementation… even though that also also meant I’d never received any of the usual rewards from Facebook – neither monetary, nor in form of swag or something similar. At least, I knew I could draw satisfaction from the fact that my “going public” would secure millions of users worldwide. Up until today, I’m convinced that’s worth more than a laptop sticker or a small amount of cash.

the international press

The international press picked this up my tweet pretty quickly and journalists around the globe soon started asking both Facebook and me questions.

I took me a day, but I actually managed to send a decent reply to every journalist asking for more information. I merely refrained from giving Brian Krebs (krebsonsecurity.com) insights, as I have learned to know him as an unethical journalist; mostly because of his repeated doxxing of benign security researchers. I don’t support unethical journalists, it’s that simple.

Anyway, the following articles talk about how I uncovered and called out this FaceBook security issue that turned out to be a full-fledged privacy scandal with global impact, which affecting millions of people.

And many more… the story even made it into several international television news broadcasts.

facebook

The international press echos based on my finding and related tweet(s) ultimately forced Facebook to pull their implementation offline after 96 hours. Even though I never received any kind of bounty from Facebook for reporting the security issue, at least they eventually managed to push themselves to publically acknowledging my finding in a public tweet.

Replying to @originalesushi: Thank you for finding and raising this issue. We moved quickly to address it but should have acknowledged your work sooner.

Whatever that tweet is worth…

All in all, it took them 4 days to pull their wrongdoing offline, and 2 more days to drop that luke-warm “thank you” tweet. By that time, I personally had already reached out to a hand full of Facebook‘s security-tasked employees to inform them about this password fishing issue and some other information security related problems which were never discussed in public (again, no bounty reward whatsoever), while the press was all over Facebook’s public image because of Facebook‘s password fishing issue that I had put into public focus. Due to the press echo, Facebook *had* to react publically and that tweet was obviously the best they could do while playing the “corporate damage control” game.

thank you, journalists

Last but not least, I want to express my sincere “thank you” to all journalists involved. Without the international press echo and journalistic pressure, Facebook could (and most probably would) have bluntly ignored my tweets.

epilogue

My personal opinion – before and after this event – is that Facebook is both a privacy as well as a security nightmare on too many levels, and that you should stay away from that network (Facebook, Instagram, et al) as much as you possibly can. Yet, that might just be me, after having looked too deep into too many of Facebook‘s privacy-invading and security-lacking rabbit holes. The things I‘ve seen… are part of another story, not to be told here.

a side-note in case you want to delete your facebook account

If you were to ask me, I would recommend you to delete your Facebook account. In case you do, please do not be fooled into switching from a deletion request to a deactivation request. Facebook being Facebook, they employ a few deceptive tricks to encourage users to just deactivate their account. An example trick is to push the “deactivation” link in your face while placing the “deletion” link out of context somewhere down the page, so you won’t see it unless you scroll down and explicitly go look for that deletion link. Always remember that “deactivation” is not “deletion”. You’ll want “deletion”, nothing less.