Share Your Password, Spam Your Friends

Time and time again security experts warn you not to share your password with anyone, yet sites like Facebook are always encouraging you to give them the password of an account that is not a Facebook account… your email account.

You’ve probably seen the screen shot below on your Facebook friends page. It is asking you for the password to the email account you signed up with Facebook for. This means you are giving Facebook the keys to your email account. Given the miserable track record that Facebook has when it comes to privacy that is not an advisable action. Facebook claims they want to help you find your friends, and providing the password allows them to search your contact list and cross reference it for email addresses of other Facebook account holders.

 

Do you notice anything here? At the bottom it says that Facebook will not store your password, but do you see what it does not say? It does not say that Facebook won’t read your email. It does not say that Facebook won’t share your email contacts with third parties. In fact if you click on the “Learn More” link you will find that Facebook is doing a bit more than only looking up email addresses you have to see if they match email addresses of other Facebook users. Here’s what the “Learn More” screen looks like.

 

Not only will they use your information to make suggestions to you, but they will use it to make suggestions to your contacts, regardless of whether or not you want them to and they will store that information. The last thing the screen says is “If you do not want us to store this information, visit this page”. What do you think “this page” says?

 

Yeah… “We also display these contacts in your Facebook Phonebook”.

Of course this isn’t going to be an issue for anyone who follows the advice not to share their passwords with anyone. Allowing a social networking site to peruse your email address book to help you find friends may be convenient, but it may also have some unintended consequences.

If you use the similar feature on MySpace you will end up spamming your friends. That’s right, MySpace claims that they will spam your friends if you give them the email addresses, but they also contradict themselves and say they won’t. Here is the fine print at the bottom of the MySpace find friends page.


 
First MySpace says that they will send reminder invitations AND promotional messages. Unsolicited promotional messages are SPAM. Your friends did not ask you to have MySpace spam them, you only wanted an invitation to be sent. After acknowledging that if you share email addresses then MySpace will spam those people then MySpace lies and says they will never spam. This is an obvious contradiction. Share your password, spam your contacts.

LinkedIn simply doesn’t say what they will or will not do with your password at all!

The bottom line is that sharing a private password with a social network is never a good idea.

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • Leo Davidson

    To make matters worse, Facebook keep advertising the friend finder at the side of the page, saying that X and Y friends used it to find friends.

    I know for a fact that many of the people it claims have used it have not — many would never be stupid enough to give Facebook their email password and some have categorically confirmed that they have never used it — so it seems to be a complete lie, aimed at making you think your friends have used something and let your guard down about using it as well.

    (Perhaps other people have found the mentioned friends via it, but that does not mean my friends “have found friends” (it means friends have found them, which is quite different, at least in my English language).)

    But I guess Facebook never really did respect its users. I just wonder if it’s legal for them to tell outright lies about people using features they haven’t.

  • Joshua

    Just another reason NOT to have any social media pages, period. I have people who just can’t understand why I do not have a Facebook page. I find it obvious. I simply do not care to be that connected to people I vaguely rememeber or have no intention of ever talking to again.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

3 articles related to:
Hot Topic
26 Aug 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.