Facebook page hijacking locks out original admins [VIDEO]

Graham Cluley
Graham Cluley
@[email protected]

As you can see in the following video, it’s easier to hijack a Facebook page than you would expect, because of sloppy security from the social network.

[youtube=http://www.youtube.com/watch?v=4LSKEoXJUDY&rel=0&w=500] (Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

The question is – will Facebook do anything about it?

Facebook pages are an important part of many business’s marketing activities. Brands such as Coca-Cola, Victoria’s Secret and Starbucks have millions of Facebook fans signed-up to their pages.

Sign up to our free newsletter.
Security news, advice, and tips.

Popular Facebook pages

Even more impressively, Lady Gaga has a jaw-dropping 43 million fans on the social network.. and rising.

So it’s clear that Facebook pages are an enormously effective way for firms and celebrities to promote themselves and raise brand awareness There’s very little cost for a potentially huge amount of publicity.

Facebook pages are run by administrators. Anyone can create a Facebook page, and if your page proves popular you might choose to recruit some additional co-administrators to help you run it.

That’s where you need to be very careful – because one of your fellow administrators could hijack the page you have been working on, and remove your admin rights.

That shouldn’t be possible, of course. When a journalist rang me yesterday to talk about the problem I pointed them towards Facebook’s own help pages that say that although administrators can remove other administrators, they *cannot* remove the person who originally created the page.

Facebook help page

Unfortunately, Facebook’s own help pages have got it wrong.

Any page administrator *can* remove the original administrator of a Facebook page, as the video above showed.

Facebook hijackThere are two scenarios here. One is that you have a trusted friend or colleague who you ask to help you administer a Facebook page. Even if they have the best intentions, their Facebook account may get compromised (perhaps their passwords are phished or cracked) giving a stranger the chance to hijack the Facebook page you created.

The other possibility is that you gave a stranger admin access to your Facebook page.

Why would you do that? Well, there are many people and businesses wanting more fans for their Facebook page, and if you go to a site like Fiverr (an online marketplace where you can buy and sell any service for just five dollars) you’ll find plenty of folks willing to help you maximise the success of your page.

If you give a cut-price “social media expert” admin rights to your Facebook page, you only have yourself to blame if you’re ousted.

And don’t go crying to Facebook. They seem to be unwilling to rectify a page hijack, meaning that if you want to recreate the online community you may have spent much time and money on building you’ll have to start again from scratch.

Come on Facebook – sort it out. Page administrators should not be able to remove the original administrator without the creator’s specific permission.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest attacks.

Hat-tip: The Register. Please note: You might have difficulty reaching The Register because of their ongoing DNS issues.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.