The other day a friend of mine sent me a notice on Facebook about how Optimus Prime wanted to send me a message. I didn’t bother opening up the email or listen to the message or do whatever it is that this application wanted me to do.
However, yesterday, I got something interesting in my voicemail. I opened up my phone to check my messages and saw that I got a new voice message from my old home in Canada (whereas now I currently live in Washington state). That’s weird, I thought. Who could possibly be phoning? It’s my old phone number…
It couldn’t be my parents, they are currently out of province. I scanned through people who might have access to the house, and it certainly wouldn’t be my other relatives; it wouldn’t make sense to phone from there and not their own residence. In other words, the house where the call was made was empty and it was very unlikely anyone from there would phone me.
So, I checked my voice mail. Imagine my surprise when I heard Optimus Prime’s voice warning me about an imminent invasion. I rolled my eyes and hung up the phone. I put the pieces together and figured out that Facebook sent me a message and claimed it came from me! I can’t recall ever entering my phone number into Facebook, so my friend who sent me the message must have entered it (kind of strange since I’ve been out of Canada for two months). However, the point is that by claiming that the message came from me, Facebook was essentially spoofing me.
This kind of irritated me. I’ve been preaching for a long time about sender authentication and how spammers will spoof legitimate organizations in order to add legitimacy to their nefarious purposes. It’s a weakness in SMTP that allows spammers to do this. Now, Facebook’s doing the same thing!
For shame, Facebook. For shame.
Update: As it turns out, my brother also sent me the message. He was overseas when he sent it, so what I guess happened is that he sent me a message and said it came from my old phone number. So, Facebook wasn’t spoofing me. Still, my point remains – you can put any old telephone number on there and spoof the sender. Methinks this constitutes a security weakness.