Facebook page hijacking locks out original admins [VIDEO]

Filed Under: Data loss, Facebook, Featured, Malware, Privacy, Social networks, Spam, Video

As you can see in the following video, it's easier to hijack a Facebook page than you would expect, because of sloppy security from the social network.

(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

The question is - will Facebook do anything about it?

Facebook pages are an important part of many business's marketing activities. Brands such as Coca-Cola, Victoria's Secret and Starbucks have millions of Facebook fans signed-up to their pages.

Popular Facebook pages

Even more impressively, Lady Gaga has a jaw-dropping 43 million fans on the social network.. and rising.

So it's clear that Facebook pages are an enormously effective way for firms and celebrities to promote themselves and raise brand awareness There's very little cost for a potentially huge amount of publicity.

Facebook pages are run by administrators. Anyone can create a Facebook page, and if your page proves popular you might choose to recruit some additional co-administrators to help you run it.

That's where you need to be very careful - because one of your fellow administrators could hijack the page you have been working on, and remove your admin rights.

That shouldn't be possible, of course. When a journalist rang me yesterday to talk about the problem I pointed them towards Facebook's own help pages that say that although administrators can remove other administrators, they *cannot* remove the person who originally created the page.

Facebook help page

Unfortunately, Facebook's own help pages have got it wrong.

Any page administrator *can* remove the original administrator of a Facebook page, as the video above showed.

Facebook hijackThere are two scenarios here. One is that you have a trusted friend or colleague who you ask to help you administer a Facebook page. Even if they have the best intentions, their Facebook account may get compromised (perhaps their passwords are phished or cracked) giving a stranger the chance to hijack the Facebook page you created.

The other possibility is that you gave a stranger admin access to your Facebook page.

Why would you do that? Well, there are many people and businesses wanting more fans for their Facebook page, and if you go to a site like Fiverr (an online marketplace where you can buy and sell any service for just five dollars) you'll find plenty of folks willing to help you maximise the success of your page.

If you give a cut-price "social media expert" admin rights to your Facebook page, you only have yourself to blame if you're ousted.

And don't go crying to Facebook. They seem to be unwilling to rectify a page hijack, meaning that if you want to recreate the online community you may have spent much time and money on building you'll have to start again from scratch.

Come on Facebook - sort it out. Page administrators should not be able to remove the original administrator without the creator's specific permission.

If you're a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 100,000 people regularly discuss the latest attacks.

Hat-tip: The Register. Please note: You might have difficulty reaching The Register because of their ongoing DNS issues.

, , , ,

You might like

18 Responses to Facebook page hijacking locks out original admins [VIDEO]

  1. Well thing is, a simple change to "request for change" at the former admin would be enough to solve this issue in a moderate but sensible way.

  2. I'm a bit puzzled by this post I must admit, as from my own experience Facebook didn't used to let other admins remove the original admin but they subsequently changed that. That happened quite a while back (and I know because I was stuck still being the admin on an old page I created, but subsequently could be removed).

    Not only did the change happen a while back, but rather than reducing security, it increased that. That's because under the old situation a member of staff might create a page for their work, but then leave, move on to another job (perhaps for a competitor?) and still be an admin of the page they created with no way to remove them. That was a pretty big security flaw it seems to me. I'm certainly glad Facebook changed that a while ago.

    So unless I've misunderstood the story, I'm afraid I think it's a dud - it's an old change and it was a good one.

    • I accept that you're describing a scenario where it might be a good thing to remove the original admin - if you have legitimate rights to control the page.

      But there seem to be countless cases where genuine administrators have been booted off pages that they have spent months or years developing, with no warning and no come-back.

      At the very least, Facebook needs to correct its help pages. However, I would like to see them introduce a system whereby the original administrator is informed that someone has requested that they be removed as an admin, so they can give their consent if appropriate.

      The current system is a mess - and as the video shows, many people have been complaining about it for months with no acceptable response from Facebook.

      • Sean Sullivan · 1499 days ago

        Facebook doesn't need to inform other admins — Facebook should something other than more admins, such as editors and guests à la WordPress.

        All admins can delete a Page, all editors have access to the “upload posts via e-mail” address in the Page's settings. It's crazy.

        There should be a hierarchy of rights.

      • Good point about informing the original administrator (and updating their documentation), especially as that's the sort of safety check which is common elsewhere - e.g. when you change the email address that gets notifications in various systems.

    • Martijn Grooten · 1498 days ago

      I agree that this is a scenario that should be taken into account but don't the new settings make things worse, not better? Now _any_ of the page's admins could move to a competitor in a not-so-friendly way, and hijack the page by removing all the other admins.

  3. Wow, I agree with the post.

    It's funny, on another help page says: "Every admin has equal access to and the same abilities as the other admins for a Page."

    Link: http://www.facebook.com/help/?faq=163724440357117

    • I forgot to mention that the same happens with other services like Blogger.com and Google Apps, any administrator can delete other administrators.

  4. James · 1499 days ago

    Seems like they forgot to code in a little boolean flag.

  5. Warren · 1498 days ago

    This happened to me. I set up a Business Account for a client, with a gmail account I created for the same client. Once the Page was set up and the client Liked the Page using their Personal Account, I made them an Admin so they could take over the day to day campaigning. At some point, and I am not clear whether it was a glitch on Facebook's part, or the client, in a panic, seeing there was another Admin that had a default profile photo and an email address for a user name, deleted that Admin. So logging into the original Business Account no longer gives access to the Page that was created on that account. Further, since it is a Business Account (hence, no profile) there is no way to Like the page and have the client make the original Page owner/creator Admin again. The client, whose comfort level ends at making simple status updates with the occasional photo upload, could find the Admin section on the Page and specifically enter the email address of the original Account owner to make them Admin again... so all is not totally lost, but definitely inconvenient. Of course, Facebook has made it virtually impossible to contact them, and the numerous bug reports I sent explaining the situation got no response. I understand it is a free service, so I don't expect too much. I just have a hard time understanding the logic behind their policy and wonder, as well, if they totally understand (or even care about) the implications of their policy.

  6. goyo · 1484 days ago

    My opinion on this subject this is not an account hakear the system only allows others to facebook users manage business facebook, manage power more than one account but did not open businesses on Facebook.

    Only that much careless dumb-ass who wants grace to watch out or know who would give permission as an administrator in our accounts as would happen if I left my bank account to an unreliable person.

  7. Mikee · 1399 days ago

    How can i remove the scam like this one on my wall because it always coming back every time i spam, report and delete this --> "Yeahh!! It happens on Live Television!"
    Pleased help me out here.. :( Thanks in advance.. :)

  8. Lars · 1341 days ago

    Interesting observations - but does anyone know, how you can find out who is registered as admin for a Facebook Page?
    By reading many forum posts from users, who have had all their admins being removed from their Facebook page, I very seldom hear, they had granted somebody else admin priveledges, but some were requested to dp an account verification, and after that process had no longer access to their Facebook page as admin.

  9. Sarah · 1324 days ago

    My admin privileges were removed from my business page, and I was the ONLY admin! (ever) so I have a slightly different slant on the problem, explain that Facebook!! They disappeared 2 weeks ago for no apparent reason (I didn't go thru this 'verification' thingy either). It came back momentarily over the weekend, several times, but went again within 5 minutes. This is taking the micky really, and they don't bother responding to bug reports. My biggest issue is that I am a kid's photographer, and I need to have total control over my content. I believe that my intellectual property rights are being breached. I simply cannot have photos floating in cyberspace with no control over posts to my page. Any great ideas would be appreciated.......

  10. Rush · 1323 days ago

    Please, I have this problem that you presented. Help me, how to resolve it ?

  11. Garrett · 1312 days ago

    My facebook page was hacked last week and I still don't have access to it. Facebook refuses to respond to my multiple requests so many years of my families pictures and history is now owned by some guy in Nigeria...
    In order to help persuade facebook to do what is right and help provide amodicumm of securitysupportt to it's many users, I created a petition. If you or someone you know have been victim of identity fraud through facebook then please go to change.org and sign my petition! Maybe if all those affected stand up and make ourselves known, facebook will be moved to act.
    Here's a direct link to my petition: http://www.change.org/petitions/facebook-make-fac...

  12. Simona · 1279 days ago

    Deare all, I have this kind of issue and both myself and the other admin have been removed from my business page. We were the only 2 admins.
    I reported to FB but of course I got now answer.
    Does anyone know or have tips on how to solve this issue?
    Of course is quite a damage for the business.
    Thanks. Simona

  13. MuWe · 1225 days ago

    That is easy to know, but is it possible to hack a fb fan page if u are not an admin?
    My was hacked and I have no ide how xO

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley