wtogami (wtogami) wrote,

Flawed Facebook Policy on Hacked Pages Exposes Users to Security Risk

UPDATE: 6/20/2011
After one week, Facebook finally fixed this problem and returned this particular page to its rightful owner.  Unfortunately, judging from this discussion where hundreds of page owners have been crying for help for 6+ months, Facebook page theft remains rampant and will continue to be a terrible problem as their policies make it nearly impossible to recover a page.  The only reason this particular page was recovered was due to the pressure of thousands of outraged followers.

Facebook page theft is a soft target with high reward.  It is simply too easy to steal a Facebook page through the use of computer viruses and spyware.   The reward to the attacker is very high, as they can use the hijacked page as a platform to infect confused page followers with viruses.  Meanwhile, Facebook allows it to happen as it is their policy to never help legitimate owners recover their stolen pages.

How would you feel if you spent the last year building your Facebook fan page with thousands of followers, only for it to be hijacked, allowing the attacker to ruin your reputation by insulting your followers and attempting phishing attacks on your fans/customers?   By current Facebook policies you cannot recover your stolen page.

Monday, June 13th, a popular Facebook Fan Page for a canceled TV show was hijacked by a script kiddie on a power trip.     The attacker apparently targets admins of popular pages using phishing techniques to trick them into visiting dangerous websites, where their cookies are stolen or browsers exploited to install trojans and key loggers necessary to fully compromise their account.  Once the attacker gains control of a Page admin's Facebook account, they are able to fully seize control by removing all previous admins.

Now two days later, the attacker continues to post taunting messages bragging about his conquest.  Even worse, the page's 55k+ fans are exposed to confusing and dangerous links to sites that attempt to steal their cookies or exploit their browsers, an effective method of using the social network itself to compromise other accounts and hijack other popular fan pages.  Despite the pleas of thousands of followers reporting the dangerously abusive phishing links on the self-proclaimed hacked page, it is apparently Facebook policy to do nothing.

Please note that is not technically possible to compromise a Facebook group or Page. As long as the current administrators of a group keep their login details secure, keep their account enabled, and do not allow any suspicious people to become admins, then the group or Page will remain secure. If an unauthorized person gains admin status, we encourage you to contact them directly to resolve this matter. Unfortunately, Facebook is not able to reinstate you as an admin for any group or Page.
Facebook is unreasonable in these expectations, as it is far too easy for ordinary users to be infected by viruses and spyware and their personal accounts to become compromised.  As an administrator of other Facebook pages for both companies and non-profit causes, it is absolutely frightening to learn that if the account of any page co-admin is compromised, then weeks or months of hard work may be stolen with NO RECOURSE.  Most egregious of all, Facebook is unwilling to do anything about attackers using compromised pages as phishing attack platforms.  Facebook's unwillingness to get involved puts the security of users at risk.

Some have suggested that Facebook could mitigate this problem of page hijacking by allowing greater protections to Creators like page-level mandatory cell phone verification or allowing the delegation of "assistant admins" incapable of removing other admins.  While these measures would have likely helped to prevent this particular compromise, it wouldn't stop a determined attacker when the reward can be so large.  Ultimately the policy of never returning a clearly stolen page to its rightful owner must be changed.

Facebook's social networking can be an invaluable tool to improve customer loyalty around a business or organize people around a cause.  Unfortunately, given current policies, companies should be wary of investing real money in Facebook ads or putting significant effort into Facebook page recruitment when all of their hard work can be too easily destroyed.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded