Pretty interesting that Facebook doesn’t really seem to care about social engineering attacks on their users.
Playing devil’s advocate:
Maybe they do, and didn’t consider this elaborate vector.
There’s only so much you can do to protect gullible users from themselves while still enabling said users to retrieve passwords.
Steam, AIM, and many other IM clients still plaster banners in the chat window saying “Do not give your password out to anyone.” The fact that this is needed says a lot about the ease of SE.
Facebook actually said that social engineering attacks do not qualify for their bug bounty. This makes sense to a degree…if I call someone up and ask for their password, and they give it to me, there really isn’t anything Facebook can do.
However, OP’s attack is more sophisticated and I think FB was wrong to dismiss it, given that they are able to partially solve the problem with technology.
Is the title supposed to be an homage to samy’s talk?
Yes. Glad someone noticed