Time and time again security experts warn you not to share your password with anyone, yet sites like Facebook are always encouraging you to give them the password of an account that is not a Facebook account… your email account.
You’ve probably seen the screen shot below on your Facebook friends page. It is asking you for the password to the email account you signed up with Facebook for. This means you are giving Facebook the keys to your email account. Given the miserable track record that Facebook has when it comes to privacy that is not an advisable action. Facebook claims they want to help you find your friends, and providing the password allows them to search your contact list and cross reference it for email addresses of other Facebook account holders.
Do you notice anything here? At the bottom it says that Facebook will not store your password, but do you see what it does not say? It does not say that Facebook won’t read your email. It does not say that Facebook won’t share your email contacts with third parties. In fact if you click on the “Learn More” link you will find that Facebook is doing a bit more than only looking up email addresses you have to see if they match email addresses of other Facebook users. Here’s what the “Learn More” screen looks like.
Not only will they use your information to make suggestions to you, but they will use it to make suggestions to your contacts, regardless of whether or not you want them to and they will store that information. The last thing the screen says is “If you do not want us to store this information, visit this page”. What do you think “this page” says?
Yeah… “We also display these contacts in your Facebook Phonebook”.
Of course this isn’t going to be an issue for anyone who follows the advice not to share their passwords with anyone. Allowing a social networking site to peruse your email address book to help you find friends may be convenient, but it may also have some unintended consequences.
If you use the similar feature on MySpace you will end up spamming your friends. That’s right, MySpace claims that they will spam your friends if you give them the email addresses, but they also contradict themselves and say they won’t. Here is the fine print at the bottom of the MySpace find friends page.
First MySpace says that they will send reminder invitations AND promotional messages. Unsolicited promotional messages are SPAM. Your friends did not ask you to have MySpace spam them, you only wanted an invitation to be sent. After acknowledging that if you share email addresses then MySpace will spam those people then MySpace lies and says they will never spam. This is an obvious contradiction. Share your password, spam your contacts.
LinkedIn simply doesn’t say what they will or will not do with your password at all!
The bottom line is that sharing a private password with a social network is never a good idea.
Director of Technical Education
Author ESET Research, We Live Security