My friend James called me this afternoon and asked if “the iPad thing” was for real. I had no idea what he was talking about. He quickly informed me of my latest Facebook status update, and when I got home I saw it with my own two eyes:
Finally got my iPad from that site! 5 days ago I signed up at [link redacted] as a tester and today I got my iPad. All you need to do is to tell them your opinion about iPad and you can keep it forever. You should hurry since i highly doubt this is gonna last forever
Was my account hacked? Not exactly. That is, I don’t think my password was compromised. It seems this status update was sent via Facebook mobile, which I’d set up a week or two ago. That allows me to update my Facebook status via text message, as with Twitter. The fatal flaw? My mobile phone number is readily available via my Facebook profile. Anyone who can fake a text message from that number can update my status. Seems like a big and obvious security hole, so I expect to see plenty more of this exploit.
I deleted the status update, and I’ve taken the rudimentary step of setting my mobile phone to be visible to “Only Me” in my Facebook privacy options. Previously it had been available to “Friends and Networks.”
As for the link included in the bogus status update, it takes you to a site called Your Reward Inside which tries to collect personal information from prospective iPad “testers.” The site is listed on Scam Checker Report. The site is dissected a bit more on Mea Vita.
Don’t fall for this, friends.