A Facebook security flaw — or, perhaps, a misunderstanding — lets Page administrators boot original Page creators from admin status, effectively enabling new admins to hijack Pages, the blog Naked Security reports.
One could argue that this is working as intended. If the creator of a Facebook Page lets someone else in as admin, they should have equal administrative rights, correct? Wrong. Facebook’s FAQ clearly states that “the original creator of the Page may never be removed by other Page admins.”
Unfortunately, as evidenced in the video embedded below, a newly appointed Page admin can remove the Page creator’s admin status, which can be very nasty in certain cases. Today, Facebook Pages are more than fun, they’re a serious part of business promotion and losing administrative access to a Page can lead to host of problems.
Is it a security flaw or simply an error in Facebook’s FAQ? According to the Register, it’s the latter. Ultimately, it doesn’t matter, because the discrepancy between the FAQ and reality creates confusion either way.
We’ve reached out to Facebook for further clarification on the matter and will update this post accordingly.
In the meantime, we’d like to hear about your experiences with the flaw. Have you ever had a Facebook Page hijacked by another admin? How was it resolved, if at all?