Hundreds of Facebook groups hijacked

Facebook groups are under attack. But the attackers say they come in peace and insist they want only to highlight a flaw in the way Facebook handles group administration.

An organization called Control Your Info has taken control of hundreds of Facebook groups. Those groups had administrators that eventually stepped down from their position, creating a power vacuum at the top. According to the organization, when the administrator steps down, anyone can take over a group, view the members' personal information, and change group information to say whatever they want. Control Your Info believes that the way Facebook handles group administration is a major flaw. And it wants to bring that to everyone's attention.

Control Your Info has hijacked Facebook groups.

(Credit: Screenshot by Don Reisinger/CNET)

"Hello, we hereby announce that we have officially hijacked your Facebook group," a message written on Monday reads on one hijacked group. "This means we control a certain part of the information about you on Facebook. If we wanted, we could make you appear in a bad way which could damage your image severely."

Janis Roukkos, a representative from Control Your Info wrote that his organization wants to get social-networking users to "think about the safety in your social-media life to the same extent you do in your real life." Although the Control Your Info is in control of that specific group now, Roukkos wrote that Control Your Info will restore the group name (which it changed) and leave the group "by the end of next week." He also promised to not "mess anything up."

That single group isn't alone. A quick search for "Control Your Info" in Facebook yields hundreds of groups that have been hijacked by the organization. All the group names have been changed to "Control Your Info," the logos have been changed to the organization's image, and the messages are all the same. The only difference is which Control Your Info representative is writing about the organization's intentions to each group.

Control Your Info's blog sheds some more light on the organization's problem with Facebook. According to Control Your Info, "Facebook Groups suffer from a major flaw. If (an) administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.

"When you're admin of a group, you can basically do anything you want with it," the blog post continued. "You can change (its) name, and the groups members won't even get a notification of it. You can send (messages) to all members and edit info. This is just one example that really shows the vulnerabilities of social media."

Once again, Control Your Info attempted to justify its actions. The organization said the "project is strictly not for profit and done for a good cause."

Facebook did not immediately respond to request for comment.

In the meantime, what do you think about Control Your Info's practices? Is it really teaching folks about social-media security? Let us know in the comments below.

[jeffhesser]

You have to admit, this does seem like a flawed way to manage groups. If these guys do return control and keep from doing anything eroneous with the data then I'd say this is as good of an example of white-hattin as i've seen (not that they are some kind of l33t hackers but they have the right idea).

[Seaspray0]

I agree. These guys are white hats as by their actions they've demonstrated no malicious intent. But even if their intentions are good, I suggest they remain anonymous. Too often when someone tries to be a good semaritan, they get bit by the person they are trying to help or by the government. Facebook really owes these guys a big public thank you.

[kaiman75]

I think this a good way to point out the vulnerabilities in a non-malicious way while also making it evident how easy it is to take control of these sites. I think we need more of this.

Let's just hope the good guys get there before the bad guys do though...

[Renegade Knight]

At first I thought they were breaking rules but reading how they did it, Kudo's to them.

[cdwilliams1]

It's the only way Facebook and the users will learn. FB (and the other social network sites) aren't really interested in changing anything until the users are outraged. This seems like a good way to get them to act. Plus it alerts people to the dangers inherent in social media. This, combined with that ACLU FB app that's also going around really highlight the dangers of FB.

[timber2005]

Its not a vulnerability... its a feature. It has its positives, but this is a negative, that ANYONE could take it over whether interested or not.

[lazycat202]

i don' t mind. I've nothing in my facebook ;) no info at all!!

[Get_Bent]

Congratulations! You're now a 96-year-old hermaphrodite from Outer Mongolia.

[sharmajunior]

I like the way they work. If you can't teach something to someone nicely. Brute force is the way baby.

Some companies actually pay people to find flaws in their product. Facebook, consider this a freebie!

I can see why this group did what it did. The article doesn't mention if this group tried to contact Facebook first to resolve this issue. If they did and Facebook turned a deaf ear to them, then I personally see nothing wrong with what they did, as long as they follow through with their promise of putting everything back the way it was.

[bsharkey]

I understand FB didn't really want a bunch of truly orphaned groups with no control lying around, so the mechanism they put in was to allow any other volunteer to take over these groups. other members should have to nominate the new administrator. would still be far from perfect (imagine many people joining a vacated group in hostile takeovers) but much better.

another step would be to ask people if they want to give permission for the group owner to access their info. to that one, I can only say duh?

[linuxroadwarrior]

Why not take the Wikipedia approach? Let the people decide who will be the next admin.

[clamenza]

Good job.

[lissie52]

If this group has come out to say what they are trying to achieve, then I congratulate them. It's just like an undercover cop who pretends to make a date with a minor, just to show minors and others how vulnerable we are on the net . Any one can get our info. Social sites need to step up on secured settings.

[slashatcoxdotnet]

No, it's more like someone who is not an undercover cop who makes a date with a minor and then says "oh! I was pretending to be an undercover cop!"

Tell it to the judge.

[inachu1]

I have nothing to do with these people but Facebook has banned me over the weekend anyway.
I am a victim and facebook admins ban accounts with the care and honesty of a rude immoral teen boy bully who loves to get in fights and getting people angry.

60% of the time the facebook staff have ZERO justification on banning accounts and just google about it. TONS of people being banned for simple things such as sharing a link 5 times to just 5 friends and FACEBOOK CALLS THAT SPAM! Umm its not spam if those 5 friends like it and enjoy reading the links I provide them!
facebook admins are just plain rude rude rude rude!

[streamline35]

That's outrageous! You should demand your money back!

[grtgrfx]

Fact is, a computer banned you, not Facebook staff. Their banning system is more like a spam/profanity filter. Once you post a violating message, their system weighs it and if over a threshold, you're banned. Too bad it's a private company and not some elected official you can vote out, but there it is.

[sughyosha]

Dear Inachu1 -

Facebook has a policy limiting the number of email addresses you can use when forwarding an email.
If you find this restrictive - use the other public email addresses to write to them - who will complain or restrict you?

Peace brother - don't see bullies where none exist.
Can you run something the size of facebook without any rules and policies?
I think it would be impossible :))))

Cheers
Peter

[uareanidiot]

Fact: 87.65432568% of made up statistics make you sound more intelligent, ie. "60% of the time the facebook staff have ZERO justification on banning accounts..."

"They've done studies, you know. 60% of the time it works, every time." -Brian Fantana

[linuxroadwarrior]

Well,

Grey hatting is NOT the way to do it. I don't think it is the best method of showing wrongs, but it is effective.

[colley1962]

It sounds to me as if this group may have more in mind than "helping" Facebook see its flaws. This kind of action only scares the members of Facebook, thereby causing them to close their accounts. This doesn't sound like a very "friendly" way of handling a flaw in Facebook's programming. If these people wanted to handle this in a responsible and mature manner, they should have went to those who are directly responsible for Facebook's security. Sounds to me as if there could be more to this than just a "friendly" helping hand. After thousands of Facebook users close their accounts, where will they go for social networking? Might there be another NEW social networking site just waiting for those who left Facebook--offering them MUCH IMPROVED SECURITY FOR THEIR PERSONAL INFORMATION?

[mike1881]

Haha good point I completely forgot wave was coming out until I read what u said.

[shootfirst]

I think facebook is stupid and this just goes to prove how stupid it is. Seriously leaving the admin spot open for anyone to fill it is just retarded. There should be a voting process enabled that waits for a time period while a new admin is voted in. Fact that admins just get up and leave say one thing about facebook that it is stupid and you don't really know who the admins are. The admins probably od'd from playing too much of that stupid farming game.

[linuxroadwarrior]

Sounds like you think all Internet is stupid. Don't like it, don't use it.

Yes, the admin feature needs work. Lots of work.

[lcview]

This is a good thing that Control Your Info did...Facebook needs to be more secure. Anytime an Admin leaves the position, there should be an email alert that goes out to all members. Everyone voting for the new Admin sounds fair, but until then someone needs to step in temporarily and protect the site.

[anniefacebook]

There has been no hacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to confidential information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members. The names of large groups cannot be changed nor can anyone message all members. In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

Annie Ta
Facebook Spokesperson
press@facebook.com

[ckerr]

If you really are an official Facebook Spokesperson, Annie Ta, would you be so kind as to share the comments on this thread with those in positions of authority in Facebook..... Facebook is still really young by any metric other than internet time and this is a perfect example of running before you know how to walk.

[littleM]

No good deed goes unpunished. They will probably wind up on some Homeland Security watch list and never be able to board an airplane again.

[masonx]

I love it. The Facebook and other similar "social network" users are very fortunate, that this is so benign. Basically, it continues to prove the point that you are an idiot if you post personal information about yourself any where - unless there is some suitable reward to justify the risk.

[krosafcheg]

Second and third command admins? Make it mandatory. Like a Will exececutor. :)

[RussPet]

Given that the group "did no evil" I think they provided a valuable service and headed off some pain for people.