The exploit may not have been patched in the mobile version of facebook or may still work using a hotmail alias (passport.net or w/e). These are just guesses. I dug into Facebook security a while back and they seemed to have very little protection in place on the mobile site.
