Last year, we showed that it was easier than you might expect to hijack a Facebook page and lock out the original admin.
Here's a video I made at the time, where I showed just how page hijacking could occur.
(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)
Facebook page hijacking is an important issue, because so many companies and celebrities treat their Facebook page as a critical part of their marketing activity, with some brands having millions of fans.
Don't forget - a Facebook page which has been hijacked could be used to spread malicious links, spam or scams.. all in your brand's name!
The good news is that Facebook has now improved protection for Facebook page administrators. Rather than hand over the keys to the entire Facebook page (and effectively give them as much power as you, the original administrator) you can assign your fellow admin lower rights - which can prevent them removing you as an admin.
Under the newly introduced system, page admins can be assigned specific roles: The most powerful role remains "Manager", but there is also "Content Creator", "Moderator", "Advertiser" and - at the bottom rank - "Insight Analyst".
Facebook page managers have the power to send messages, view insights and create posts and adverts. Crucially, they are also the only role which can access admin roles, and remove other administrators.
In the past, staff who simply wanted to access a Facebook page's admin panel to view statistics on how users were engaging with it, or running advertising campaigns, needed full admin rights - something which could be a disaster waiting to happen.
Facebook's Help Center describes the different roles for page administrators.
It's great to see Facebook maturing its system in this way. If you're in charge of a Facebook page, and sharing access to the page with other people, you would be wise to check the roles used by your co-admins now - and adjust them as required.
Here's how you check who is an admin on a Facebook page that you administrate:
- Open your Page's admin panel
- Click Edit Page
- From the left column menu, click Admin Roles
- Type the names of other people you'd like to add in the open field
- Click Manager below the name to choose what kind of admin you want to add
- Click Save Changes
Giving a co-admin too much power may bite you in the bottom later, if their account is compromised or if they become mutinous and try to hijack control of the page from you.
If you're a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 180,000 people regularly discuss the latest attacks.Follow @NakedSecurity