14 DAY TRIAL // Bloggers from TechCrunch have created a fake profile of Google's CEO Eric Schmidt in order to point out a possible security issue stemming from the way Facebook works.
The interesting aspect about this proof-of-concept attack is the use of an email address belonging to the victim during registration, even though the impersonator doesn't have access to it.
Most people, especially those that have been on the Internet for a while, have multiple email accounts, some of which they don't use anymore for various reasons; either they are too spammed or the username sounds too childish after many years.
But even though they are no longer actively used, these email addresses remain in the contact lists of old friends, work colleagues or family members and on Facebook this can be a security risk.
The social networking site allows registering new users with email addresses that aren't already associated with accounts. After registration, the user is asked to verify the address by clicking on a special link sent to it.
However, unlike other services, Facebook allows a wealth of actions to be performed from a newly registered account before the associated email address has been verified.
For example, adding new friends, accepting friend requests, liking other people's posts, as well as sending and receiving private messages, is possible.
In addition, the rogue account will appear in the recommended friends lists for people who have that email address in the contact lists they uploaded to Facebook.
In the case of Mr. Schmidt's impersonation, tens of friends requests started pouring soon after the rogue account was created using a real email address that belonged to him.
YouTube's founder Chad Hurley and Facebook's own Vice President Elliot Schrage were amongst the people who befriended the fake Eric Schmidt.
TechCrunch's Michael Arrington points out that even if they still happen to monitor the abused email account, most people will probably ignore the verification links sent by Facebook, dismissing the messages as phishing or other attacks.
Theoretically, one possible way for users to protect themselves against this believable form of impersonation is to associate all of their email addresses with their Facebook account.
Unfortunately, in practice it's unlikely that people will go to all that trouble and it's also unlikely that Facebook will restrict the number of actions users can perform without confirming their email address, due to usability reasons.