Launch of Facebook Connect is a perfect example of how amazingly forgetful tech media can be. Despite regular appearance of phishing related news, there is no alarm being raised about glaring phishing vulnerability in Facebook Connect, just the usual armchair-general’s strategy bravos and hypes.
First, there is zero phishing protection in Facebook Connect as it is implemented now. What they need, at the very least, is something like Bank of America’s SiteKey.
Second, overall security of Facebook Connect sites depend on each and every one of them being secure. Is TechCrunch secure? Maybe. What about others? Is perpetual security audit a requirement for Facebook Connect?
Third, I don’t buy “there is nothing to phish for in Facebook” argument. Not until Facebook makes it clear to all Facebook users, developers, and partner sites aware of the dangers.
Disclaimer: I worked on the technology behind SiteKey while at PassMark which was acquired later by RSA/EMC and rebranded as Adaptive Authentication (AA). The core of the team that built SiteKey/AA now works at SafePage, company I co-founded a year ago.