How to Impersonate the CEO of Google—Or Anyone Else—on FacebookS

Earlier today, YouTube founder and CEO Chad Hurley accepted a Facebook friend request—from Google CEO Eric Schmidt. The email address was legit, so the account must've been too, right? Nope: "Schmidt" was actually TechCrunch editor Michael Arrington.

Arrington spent Sunday impersonating Schmidt after hearing about a tipster who had been impersonated by someone using an unused email address of the tipster. Using an email address for Schmidt that Arrington had, the blogger and TechCrunch founder set up a Facebook account under Schmidt's name, uploading a photo and putting the Google CEO's real birthday in the profile info.

By the end of the day, "Schmidt" was friends with Hurley, Facebook VP Elliott Schrage, Arrington himself, and "a few high profile people"; friend requests were "pouring in"; and "one person even sent a fairly private message to" Arrington-as-Schmidt.

Impersonating people on Facebook isn't new (I, like every other "hilarious" college sophomore in 2004, was put in Facebook jail for my Barack Obama profile), but it's rare for a fake profile to be so successful, so quickly. So how did Arrington's hoax work?

Theoretically, Facebook requires users to verify their email addresses. But it still extends a great deal of functionality to accounts without verified addresses, like the ability to make and accept friend requests. But more importantly, you don't need to have a verified email address for Facebook to recommend friends for you—specifically, friends who have uploaded the hoax victim's email address to Facebook before, most likely as part of the site's "Friend Finder" feature, which automatically searches through your Gmail or Yahoo! Mail address books.

It was that recommendation "feature" that put Hurley and Schrage in front of Arrington's fake Schmidt account. But the "activity" of Hurley and Schrage accepting the friend request from "Schmidt," began to show up in the news feeds of friends of Hurley and Schrage, who then extended friend requests to the fake Schmidt themselves.

The hoax, then, relies on two things: One, the fact the Facebook allows for friend recommendation even with unverified email addresses, which is something Facebook could, and should, address. And two, the legitimacy conferred upon it by people like Hurley and Schrage—a conferral spread all the more rapidly via the automatic broadcast of Facebook's news feed.

The counter-Schmidt profile is still up as of the publishing of this post and can be found here. The funniest part of the whole episode, though, might be the tip that Arrington received from LiveStream CEO Max Haot, crowing over his discovery that "Eric Schmidt" only had 6 friends on Facebook:

How to Impersonate the CEO of Google—Or Anyone Else—on FacebookS

[TechCrunch]