Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on September 5, 2011

Facebook Admin removal is a feature not a flaw. But how can hijacking be prevented?


Facebook Admin removal is a feature not a flaw. But how can hijacking be prevented?

In June last year, we reported that Facebook had finally made it possible for any admin on a company or brand’s Facebook page to delete the original ‘owner’ associated with that particular account. But this has caused some to question whether this is in fact a good idea, given that it opens up a Facebook Fan Page to being hijacked, with the original creator left out in the lurch.

As we wrote at the time, there are many reasons why a company or brand may want to change the ‘owner’ of Facebook fan page, for example staff turnover means that any number of people may need to ‘own’ a page , or if the Page was created by a third-party consultant or creative agency, ownership will need to be passed back to the company at some point.

Indeed, many people complained when this functionality wasn’t in place. If a Facebook page was created by one person, why couldn’t ownership be transferred and synced to another email address?

Graham Cluley, Senior Technology Consultant at Sophos, has posted a piece on the company’s IT security blog, Naked Security, highlighting the issue of Facebook fan pages being hijacked. Whilst the blog post suggests it’s a security flaw rather than a deliberate feature, it does still raise some valid concerns – what if you give admin rights to someone who later deletes the original owner (e.g. a company founder or a music artist) and all other admin people, and takes unofficial control of the Facebook Page?

See the video Naked Security has put together which demonstrates exactly what the ‘issue’ is:

Just to reiterate, this is a feature implemented by Facebook, and not a security flaw. So the first issue to emerge from this is one of trust. Should companies be handing out admin rights to people they don’t trust? Probably not, but the problem there is that there are countless staff and social media interns that start on trial periods at companies that will probably need full access to a Facebook Page – sometimes these appointments work out, sometimes they don’t. What if they could go out in a blaze of glory and take control of a company’s Facebook Page.

Whilst there is clearly a need to pass ownership of Facebook fan pages on in many circumstances, there probably needs to be a little protection in place to prevent hijacking, which means there’s room for some sort of ‘Manager’ feature to be built in.

This would enable control to be easily regained by the company in question, without having to jump through hoops waiting for Facebook to intervene, that’s if they even intervene. Perhaps there could be different types of account, for example Page Editors, Moderators, Authors, with different privileges afforded depending on the level of trust. So, a new intern could write posts but not delete the original owner.

It seems it’s quite a common problem too, as this Facebook discussion thread would suggest. In response to several people stating they’d lost ‘ownership’ of their account, Phill Grove states:

“The same happened to me on Sunday and this is a wide spread problem and the official Facebook response is that they WILL NOT change admin’s back but they can delete the page. We have built a business on Facebook and have spent over $18k growing our page and our database…”

It seems that whilst Facebook may not be helping matters, it’s also confusing matters too, as its official guidelines state in its Help Centre:

“Every admin has equal access to and the same abilities as the other admins for a Page, however the original creator of the Page may never be removed by other Page admins.”

It seems that Facebook may simply have forgotten to update these guidelines, but this could cause a lot of Facebook Fan Page owners to hand out admin rights thinking they will always have ultimate control, when in fact they don’t.

We’ve contacted Facebook and we’re awaiting comment on the above.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top