Facebook page hijacking locks out original admins

As you can see in the following video, it's easier to hijack a Facebook page than you would expect, because of sloppy security from the social network.

Facebook pages are an important part of many business's marketing activities. Brands such as Coca-Cola, Victoria's Secret and Starbucks have millions of Facebook fans signed-up to their pages.


Even more impressively, Lady Gaga has a jaw-dropping 43 million fans on the social network.. and rising.
So it's clear that Facebook pages are an enormously effective way for firms and celebrities to promote themselves and raise brand awareness There's very little cost for a potentially huge amount of publicity.

Facebook pages are run by administrators. Anyone can create a Facebook page, and if your page proves popular you might choose to recruit some additional co-administrators to help you run it.

That's where you need to be very careful - because one of your fellow administrators could hijack the page you have been working on, and remove your admin rights.

That shouldn't be possible, of course. When a journalist rang me yesterday to talk about the problem I pointed them towards Facebook's own help pages that say that although administrators can remove other administrators, they *cannot* remove the person who originally created the page.



Unfortunately, Facebook's own help pages have got it wrong.

Any page administrator *can* remove the original administrator of a Facebook page, as the video above showed.

There are two scenarios here. One is that you have a trusted friend or colleague who you ask to help you administer a Facebook page. Even if they have the best intentions, their Facebook account may get compromised (perhaps their passwords are phished or cracked) giving a stranger the chance to hijack the Facebook page you created.

The other possibility is that you gave a stranger admin access to your Facebook page.

Why would you do that? Well, there are many people and businesses wanting more fans for their Facebook page, and if you go to a site like Fiverr (an online marketplace where you can buy and sell any service for just five dollars) you'll find plenty of folks willing to help you maximise the success of your page.

If you give a cut-price "social media expert" admin rights to your Facebook page, you only have yourself to blame if you're ousted.

And don't go crying to Facebook. They seem to be unwilling to rectify a page hijack, meaning that if you want to recreate the online community you may have spent much time and money on building you'll have to start again from scratch.

Come on Facebook - sort it out. Page administrators should not be able to remove the original administrator without the creator's specific permission.

If you're a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 100,000 people regularly discuss the latest attacks.

nb : nakedsecurity.sophos