Let’s take a look at Digg.com, a website that uses Facebook connect. When you click on the button: “Connect with Facebook”, a pop-up window like in the screen below will appear:

Problem is, that even a script kiddie can very easily emulate this pop-up window. It took me only 1/2 hours to get this button to work (click on it, works only on CSS3 browsers):

I’m wondering, how many time would need somebody really interested in phishing accounts to setup a perfect clone and start asking for “Facebook connections”? 2 hours? 3 hours?

People think that this is not so bad, as long as the phisher’s website has nothing to offer, but a smart phisher will be persuasive enough in order to make the people think that they should provide their login credentials. For example the phisher could pretend that he gives on his website the next lottery’s winning numbers.

Very, very bad for Facebook. Facebook really, really sucks with this.