Facebook Shamelessly Abuses Two-Factor Authentication System To SMS Spam Users With Click Bait


You can never be too cautious when it comes to security, and for that reason turning on two-factor authentication (when available) is typically a good thing. Unfortunately, Facebook has decided to abuse the feature by spamming users who enable the added security measure with notifications of what's happening in the world of social media. That is not the intent of two-factor authentication, and quite frankly, it's complete bull spit that Facebook is doing this.

The issue was brought to attention by Gabriel Lewis, a software engineer "with a passion for technology, design, and entrepreneurship." In a Twitter post, Lewis explains that he signed up for two-factor authentication, after which he began receiving hyperlinked texts from Facebook directing him to activity on his feed. He also posted screen captures, one of which shows Facebook posting his text message replies—"stop," "Pls stop," and "STOP"—to his wall.
Having replies posted to his wall seems like a bug, though it isn't (more on that in a moment). But, to use two-factor authentication as an opportunity to spam users with social media updates is bad form, no matter how you slice it. And to be clear, Lewis did not opt into receiving mobile notifications.

Lewis is not alone in this one. Kate Conger at Gizmodo says she has been getting the same types of spam messages on her mobile device since last summer, after she opened a new Facebook account and turned on two-factor authentication.

"At first, I only got one or two texts from Facebook per month. But as my profile stagnated, I got more and more messages. In January, Facebook texted me six times—mostly with updates about what my ex was posting. This month, I’ve already gotten four texts from Facebook. One is about a post from a former intern; I don’t recognize the name of one of the other 'friends' Facebook messaged me about," Conger wrote.

Conger also confirmed that replies to text messages from Facebook get posted on the social network. In her case, she replied, "Abusing a security tool like 2fa to spam users is a really sh***y, shortsighted thing to do," which Facebook promptly posted as a comment on a vacation photo that her boss posted two weeks prior. Talk about an embarrassing moment.

There is a way out, Conger discovered. When enabling two-factor authentications, notifications get turned on by default. To turn them off, head to Settings > Notifications and toggle them off.