Facebook lets me have full access on someone’s public page—but I’m not an admin
I have long maintained that Facebook’s databases are dying (hence their need to force people to download malware) and tonight’s discovery is a case of ‘What more proof do you need?’
Tonight, I can edit a verified (blue-ticked) Facebook page with a fan base in the high five figures that is not mine. I can view all the messages, remove admins, receive notifications, and comment and like as that page. The one thing I cannot do is notify the real owner of that page via Facebook messaging.
This is not unlike in 2013, when someone found themselves a fan of my public page—but they never liked it. Fortunately for me, they believed us when we said we knew nothing of it.
And fortunately for this person, I am (a) not dodgy and (b) I know her in real life, though I have not spoken to her in over three years. She hasn’t made me an admin. I’ve looked on the list of pages I really administer and hers isn’t there. I’ve gone into her page’s settings and the page roles, and I’m not listed as an admin. Yet I can do everything an admin can. There’s a box right there for me to add other people as admins to her page. I could kick her off.
I tried contacting this person’s private profile via Facebook messaging as myself. Impossible. I can’t attach screen shots to show her what I discovered, and clicking ‘Send’ does nothing. I will, of course, email her.
How did I find out? Someone shared an article from the Lucire Facebook page. I clicked through to see if the sharer had written anything. I wanted to ‘like’ the share as Lucire rather than myself, and discovered that I could only be me and this other person. In fact, I could do nothing in the name of the pages I actually run. The sharer does not have either me or this person as Facebook friends.
The first clue. How come I can comment as this person?
I can only comment as myself as this one other page that I have no current connection to.
Sure enough, I have full access to the site settings and messages.
I’m not an admin, though I seem to have all the admin privileges.
Full access to mess around with her posts, and further proof I can comment as her.
This blog post is a warning to anyone with a Facebook page. Just know that at any time, access to your page can be granted to someone else.
If pages are no longer secure, then I have to ask: what is the point of Facebook?
This isn’t good news for us at all because one of the businesses I am involved in relies on Facebook.
But it’s certainly a risky platform to be on, and I am willing to bet this bug will become more widespread.
You may also like
Oh dear. It’s very easy for me to cop out and say once again, this is one of many reasons why I’ve left Facebook. But I live in a small rural area- a somewhere in the middle of nowhere- and I know that several entities here depend very heavily on Facebook. It’s not just small businesses. The police department alone- every link they tweet points to their Facebook page, if not the local news agencies. It’s not much different for other government services, non-profits, and so on, that I can see. If this problem gets worse, Jack, I reckon it will create a lot of havoc for small towns. It could potentially be a problem for everyone- even those who have websites still seem to depend on social networks, and Facebook seems king among them.
This, the number of fakes plaguing the system, and the forced malware downloads are all fatal to Facebook—I would be asking some serious questions if I was a tech journalist. However, it seems there are no tech journalists who are willing to ask anything. It may be like the Volkswagen Dieselgate scandal: people knew long before it blew up, and there will be some other random trigger that will see Facebook in hot water.
[…] Strangely, I can see the stats on a page that’s not even mine, and for which I have no […]
[…] If someone who has never been authorized to have a role on a Facebook page can have full admin acces…, then it stands to reason that a legitimate owner of a Facebook page cannot do what she needs with it. That’s exactly what happened to my friend Holly Jahangiri, who has a Facebook page and an Instagram profile, both of which are connected. She can read her private messages. She can log into both, and she is the admin of both. Facebook has her email address and cellphone number. But she couldn’t schedule a post for either, and that’s when Facebook sent her into a loop—not unlike the one that Google sent me on in 2009, although Google’s forum person was way ruder. Facebook kept asking Holly to review her connection and confirm she is admin of her own page—information that they already had. Unless their databases are so shot to hell that even internally they cannot determine this. She would love to click ‘Confirm’ but the button was greyed out, saying, ‘You must be an admin of the associated Page’s business in Business Manager to confirm the Instagram account.’ But she is the admin. […]