Mashable has a very good blog entry about a security problem in Facebook. I had noticed this myself but not thought much of it – a new admin can boot old admins, effectively stealing the page from its creators. Social media and public relations consultants need to be aware of this and be very, very careful in grant admin permissions. Apply this standard: If any one admin booted off all the other admins, would your client still be in good hands?
A Facebook security flaw — or, perhaps, a misunderstanding — lets Page administrators boot original Page creators from admin status, effectively enabling new admins to hijack Pages, the blog Naked Security reports.
One could argue that this is working as intended. If the creator of a Facebook Page lets someone else in as admin, they should have equal administrative rights, correct? Wrong. Facebook’s FAQ clearly states that “the original creator of the Page may never be removed by other Page admins.”
Unfortunately, as evidenced in the video embedded below, a newly appointed Page admin can remove the Page creator’s admin status, which can be very nasty in certain cases. Today, Facebook Pages are more than fun, they’re a serious part of business promotion and losing administrative access to a Page can lead to host of problems.
Is it a security flaw or simply an error in Facebook’s FAQ? According to the Register, it’s the latter. Ultimately, it doesn’t matter, because the discrepancy between the FAQ and reality creates confusion either way.
We’ve reached out to Facebook for further clarification on the matter and will update this post accordingly.
In the meantime, we’d like to hear about your experiences with the flaw. Have you ever had a Facebook Page hijacked by another admin? How was it resolved, if at all?