Hundreds of Facebook Groups Hacked

By | November 10, 2009

 image

(Update UTC 2100: I’ve received a reply from Erik Hjort af Ornäs, the registrar of the site itself, and have included his statement below and in the comments, as well as that of Facebook. Both deny any hacking took place)

A hacker, or group of hackers, has found a back door into taking over Facebook groups, and is now doing so, claiming it to be a public service. It has taken over up to 300 different Facebook groups so far.

This is an example of one:

image

On each of them the group name is changed to Control Your Info, the group logo changed and its description is altered to

Hello, we hereby announce that we have officially hijacked your Facebook group.
This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.
For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:
Think about the safety in your social media life to the same extent you do in your real life.
Watch the videoclip for more information or check out www.controlyour.info for more tips soon!
We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.
Best regards
/controlyour.info

A message is then sent to all members of that group.

The method is explained on the hackers’ website:

Facebook Groups suffer from a major flaw. If a administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.

When you’re admin of a group, you can basically do anything you want with it. You can change it’s name, and the groups members won’t even get a notification of it. You can send mails to all members and edit info. This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own and not a spammers. This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways. Remember, control your info! Also, this project is strictly not for profit and done for a good cause.

It’s not clear to me how they search on Google for recently departed admins, but I’m sure it’s relatively easy.

Neither is it clear who is behind the website itself. The site is registered to one Erik Hjort af Ornas of Stockholm. I’m emailing him to seek more information. Here is his statement:

Our main goal is to draw attention to questions concerning online privacy awareness.

We have seen too many examples where friends and relatives of ours have suffered from their lack of in-depth knowledge concerning their online presence. After some research we discovered  this is a wide spread problem. People have even lost their jobs over Facebook content. So we wanted to do something about this.

Our method of choice only serves the purpose to prove our point and put emphasis on how easy it is to lose track of a part of your online presence. If we wouldn’t have communicated this way, our message would probably have fallen into oblivion the moment it got out.

So, what exactly did we do and how?

We discovered that many groups on Facebook are left without an administrator. All we needed to find these groups was one quick Google search. The search results also revealed many groups that already had been hijacked by various people. Their intentions remain unclear.

So we simply joined 289 open groups and made ourselves administrators. We did not hack anything. Once we were administrators we owned the groups and could have changed any setting. We chose to change the picture, the name and the description of every group. Our intention was and is to restore these groups to their original form and find a suitable admin among the members. To be able to do this, we first backed up all the data we wanted to replace.

During the process we broke the terms of service, as defined in the Statement of Rights and Responsibilities of Facebook, and were rightfully banned:

§ 4.1  “You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission”.

We created fictive accounts for one reason: we wanted to put focus on our message rather than our persons. It also eased the process of joining and administrating this large number of groups.

Facebook is apparently not aware of this bug in their software. In response to an emailed query, .Facebook claims there is no bug in their software, that any hacking took place, nor, apparently, that there was any mass takeover of groups. According to a spokesperson:

There has been no hacking and there is no confidential information at risk.  The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.  Group administrators have no access to confidential information and group members can leave a group at any time.  For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members.  The names of large groups cannot be changed nor can anyone message all members.  In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

My comment on this: 300-odd Facebook accounts hacked—or usurped, or hijacked, or whatever you want to call it—is not a ‘rare instance’. What’s more, the groups I checked were very much still active. I frankly don’t find the Facebook response particularly helpful or reassuring.

It’s hard to see how this public service helps—the group, or individual, should be approaching Facebook and helping them plug the hole. This tactic is likely to sow confusion and fear among the Facebook populace, and possibly lead to the erasure of some treasured data on those defaced groups.

19 thoughts on “Hundreds of Facebook Groups Hacked

  1. sufehmi

    It helps by raising awareness of the problem.

    In many, many cases; when a security hole was found, the vendor can’be be bothered to look or fix it.
    Sometimes, only a public outcry will force them to fix said security hole.

    This is considered better than the alternatives. For example, letting the security hole unknown – so finally it was found by balck-hat hackers, and exploited like mad for their own financial gain.
    Their gain, on OUR loss.

    Anyway, this is why all vendors should have open disclosure policy; like the one implemented by various open source software vendors.

    Reply
  2. Jeremy Wagstaff

    Sufehmi, I agree it’s sometimes necessary to create a public outcry. And it’s true that Facebook is not well resourced to handle this kind of issue. But I find no claim on the part of those who discovered this flaw to have at least tried to contact Facebook.

    Reply
  3. Toph

    The search is easy. Just Google “There are no admins left in this group!” “Open: All content is public.” e.g.:

    http://www.google.com/search?q=“There+are+no+admins+left+in+this+group!”+”Open:+All+content+is+public.”

    Boom.

    You could probably refine it using number range searches to try to find the biggest groups up for grabs.

    I must say, I kind of like this. They’re being quite polite about it and drawing attention to an important issue.

    Reply
  4. Jeremy Wagstaff

    Thanks, Toph. If the link doesnt work, try this. I agree those behind it could have been a lot nastier, but I still feel it was unnecessary to do it like this. Even alerting some tech journalist might have been enough.

    Reply
  5. Toph

    Yes, perhaps you’re right… although, I don’t know. This seems to do a pretty good job of going straight to the people who need to listen. Not everyone reads TechMeme and hears about all the latest Facebook “hacks.”

    Reply
  6. Jeremy Wagstaff

    Still waiting for more from Control Your Info (see their comment above) but this is on their site (nothing much on the YouTube page so far):

    Update

    Apparently Facebook has shut off our Fan Page. Seems like there are different views on what we’ve been doing, like these two sites: Hundreds of Facebook Groups Hacked and Facebook Groups Hacked.
    So, is it hacking? No. This is NOT hacking, by any definitions of the term at all. A take-over? Yes, that we can agree on. Since the Facebook Fan Page got taken down, we guess you will have to contact us by commenting on our YouTube account right now: http://www.youtube.com/user/controlyourinfo.

    Reply
  7. Pingback: meneame.net

  8. Jeremy Wagstaff

    Here’s a statement from Erik Hjort af Ornäs, a member of the group, or the individual behind the incidents:

    This is our statement, you’re the first to get it:

    Our main goal is to draw attention to questions concerning online privacy awareness.

    We have seen too many examples where friends and relatives of ours have suffered from their lack of in-depth knowledge concerning their online presence. After some research we discovered this is a wide spread problem. People have even lost their jobs over Facebook content. So we wanted to do something about this.

    Our method of choice only serves the purpose to prove our point and put emphasis on how easy it is to lose track of a part of your online presence. If we wouldn’t have communicated this way, our message would probably have fallen into oblivion the moment it got out.

    So, what exactly did we do and how?

    We discovered that many groups on Facebook are left without an administrator. All we needed to find these groups was one quick Google search. The search results also revealed many groups that already had been hijacked by various people. Their intentions remain unclear.

    So we simply joined 289 open groups and made ourselves administrators. We did not hack anything. Once we were administrators we owned the groups and could have changed any setting. We chose to change the picture, the name and the description of every group. Our intention was and is to restore these groups to their original form and find a suitable admin among the members. To be able to do this, we first backed up all the data we wanted to replace.

    During the process we broke the terms of service, as defined in the Statement of Rights and Responsibilities of Facebook, and were rightfully banned:
    § 4.1 “You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission”.

    We created fictive accounts for one reason: we wanted to put focus on our message rather than our persons. It also eased the process of joining and administrating this large number of groups.

    Reply
  9. dola

    do you really think it is a very intelligent action to cry out a recipe “how to become admin of facebook groups”? If you’re not smart enough to find it out yourself, you’re obviously not chosen to know it…

    and the very smart guys who are asking like that are mostly exactly those who wanna know it only to produce some damage…

    Reply
  10. Bill

    I should think a reasonable step would be to let only group members who already belonged when the admin resigned become admins. After all, when the admin leaves a group he gets a message saying that the other group members will be invited to take over, but this doesn’t happen. Perhaps the best solution would be to change the message to insist that the current admin appoint a successor before leaving the group.

    Reply
  11. Bill

    How would your strategy have been different if only members who had joined

      before

    the admin quit could become admins?

    Reply
  12. behrol

    face book admin should some thing , many Baloch and other groups were easily hack by hackers, if that happaend again we will leave fb

    Reply
  13. ali

    my friend have facebook group and someone hacked it who i can take the group from hacker help me

    Reply
  14. Marlene Pope

    this group was taken over by a rouge admin what can I do to regain my group I had the group up to well over 10,000 members and she deleted all admin including myself and took my group over as he own I cannot even see my group because she has me banned I worked this group for a yr and a half and was on there everyday …also were my other admin who were also removed please tell me there is a way to get myself added back as admin or is this it and she just gets to steal it ?

    Reply
  15. Pingback: Sicherheitslücken bei Facebook-Gruppen

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.