I’d like to apologize to Google CEO Eric Schmidt for impersonating him on Facebook today.
It’s actually pretty easy, too easy, to do this. A reader emailed earlier today letting us know that someone had been impersonating them on Facebook based on a real, but unused, email account.
I tested this by creating a fake Facebook account for Eric Schmidt based on his real email address. I tried to do this with a few Facebook execs first but it didn’t work because the emails I have for them are already associated with their real accounts.
The email address I have for Schmidt, however, isn’t associated with any Facebook account. It worked.
Of course I could have created a fake Eric Schmidt account without using his real email. But by using that email address Facebook immediately started suggesting friends to me – presumably people who have uploaded their contacts, including that email address, to Facebook in the past.
The profile isn’t particularly believable, but after a few high profile people became friends and were linked on the profile, the invites started pouring in.
You Don’t Have To Verify Email Addresses To Use Them With Facebook
As soon as the account was created I was asked to verify the email address. I ignored that and instead just turned off all email notifications. But I can still use the account to add friends, accept friend requests, like status posts, and send and receive messages.
Messages occasionally pop up saying “Before you can interact with other people on Facebook, you need to confirm your email address.” But most activity isn’t restricted at all.
I’m fairly certain that the account will be disabled shortly. But what if I had faked a less high profile individual, and didn’t write on TechCrunch about it?
The person being impersonated may see the Facebook confirmation email. But since they didn’t just create an account the obvious thing to do is to ignore that email, not to click on the link. But by ignoring it they are letting me continue to pretend to be them.
The fix for this is easy – Facebook shouldn’t let people do anything at all with an account until they’ve verified their email address. But that creates extra friction with account creation, which is probably why they let people do so much before they verify.
And lots of services do the same. But with Facebook, I immediately have access to a pretty robust social graph. All those suggested friends are people that have Eric’s email address, and as I showed it’s pretty easy to fool people into thinking I really was Eric. One person even sent a fairly private message to me.
If Facebook doesn’t change this there’s one easy way to protect yourself. Just add every email address you use to your Facebook account. If there are old emails you don’t have control over any more you can’t add and verify them, so there’s still some exposure though.
We’ve emailed Facebook for comment. I actually almost just messaged Elliot Schrage via the fake Schmidt account for comment, but that seems like poor form.
ps – Max Hoat, the CEO of Livestream, just sent an email in to tips@techcrunch saying how funny it is that Schmidt only has six friends. He asks us to credit him if we post, so we are. This shows how believable this is. Here’s his email: