Facebook Denies Hijack
Ellen Messmer, Network World
With a link back to a site, the apparent members — using the names “Bella Roregit,” “Burstin Woltan” and “Janis Roukkos” — began leaving their mark on various Facebook groups intended for topics that include entertainment, business and sports. The Control Your Info statements declared: “This means we control a certain part of the information about you in Facebook. If we wanted, we could make you appear in a bad way which could damage you severely.”
According to the Control Your Info Web site, the group’s mission is to bring attention to security weaknesses in social media.
“Social media has become a natural part of most people’s daily lives. Unfortunately, the security aspects of social media have been more or less neglected.” Control Your Info did not immediately respond to a request for comment about its activities.
Facebook, however, has issued a statement about the incident that says, “There has been no hijacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to private user information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. The names of large groups cannot be changed nor can anyone message all members. In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.”
Some users in the groups affected by the Control Your Info takeover were obviously displeased about the turn of events and scornful of Control Your info’s explanation about how it’s making a point about security by taking control.
“I have an idea, why don’t I teach you about traffic safety by running you over with my car? wrote one irate Facebook user in a group that had been commandeered by Control Your Info. “Is that how it works?
Michael Sutton, vice president of security research at zScaler, said he doesn’t think the Control Your Info takeovers constitute a major security concern. That’s because the person who creates a group of this sort on Facebook is by default the administrator, and when this individual decides to abandon that by de-listing as the admin, anyone else in the group can step in to promote themselves be the administrator. That’s the way Facebook designed this type of group and is clear about it, though other types of Facebook groups, such as closed ones, have different security procedures. In that case, the Control Your Info people simply did a search to discover the type of Facebook groups that had the administrator position abandoned, and stepped in with their dramatic hijacking routine. “This is really making a mountain out of a molehill,” he said.
Hackers Take Over Hundreds of Facebook Groups
Hello, we hereby announce that we have officially hijacked your Facebook group. This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic].
For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:
Think about the safety in your social media life to the same extent you do in your real life.
Watch the videoclip for more information or check out www.controlyour.info for more tips soon!
We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.
Best regards
/controlyour.info
All members of the group get a message as well.The hackers are presenting this stunt as a public service, but it’s not the right way to go about things.
Originally posted to the PCMag.com security blog, Security Watch.
Hundreds of Facebook groups hijacked
Facebook groups are under attack. But the attackers say they come in peace and insist they want only to highlight a flaw in the way Facebook handles group administration.
An organization called Control Your Info has taken control of hundreds of Facebook groups. Those groups had administrators that eventually stepped down from their position, creating a power vacuum at the top. According to the organization, when the administrator steps down, anyone can take over a group, view the members’ personal information, and change group information to say whatever they want. Control Your Info believes that the way Facebook handles group administration is a major flaw. And it wants to bring that to everyone’s attention.
Control Your Info has hijacked Facebook groups.
(Credit: Screenshot by Don Reisinger/CNET)
“Hello, we hereby announce that we have officially hijacked your Facebook group,” a message written on Monday reads on one hijacked group. “This means we control a certain part of the information about you on Facebook. If we wanted, we could make you appear in a bad way which could damage your image severely.”
Janis Roukkos, a representative from Control Your Info wrote that his organization wants to get social-networking users to “think about the safety in your social-media life to the same extent you do in your real life.” Although the Control Your Info is in control of that specific group now, Roukkos wrote that Control Your Info will restore the group name (which it changed) and leave the group “by the end of next week.” He also promised to not “mess anything up.”
That single group isn’t alone. A quick search for “Control Your Info” in Facebook yields hundreds of groups that have been hijacked by the organization. All the group names have been changed to “Control Your Info,” the logos have been changed to the organization’s image, and the messages are all the same. The only difference is which Control Your Info representative is writing about the organization’s intentions to each group.
Control Your Info’s blog sheds some more light on the organization’s problem with Facebook. According to Control Your Info, “Facebook Groups suffer from a major flaw. If (an) administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.
“When you’re admin of a group, you can basically do anything you want with it,” the blog post continued. “You can change (its) name, and the groups members won’t even get a notification of it. You can send (messages) to all members and edit info. This is just one example that really shows the vulnerabilities of social media.”
Once again, Control Your Info attempted to justify its actions. The organization said the “project is strictly not for profit and done for a good cause.”
Facebook did not immediately respond to request for comment.
In the meantime, what do you think about Control Your Info’s practices? Is it really teaching folks about social-media security? Let us know in the comments below.
Facebook Groups ‘Hacked’ For A Good Cause
If you’re a regular user of Facebook (who isn’t these days?) you have probably joined up with your share of groups. Facebook groups are sort of like a combination of club and petition, except for totally useless and so flooded with spam as to be unsuited for anything but a novelty. As you can probably tell, I’m not a big fan of them. Well today it looks like my distaste for Facebook groups was reasonable after all. It turns out they’re incredibly vulnerable to the actions of assholes with a tiny bit of knowledge.
Loose wire blog reports that over 300 different Facebook groups have been taken over today by a group called Control Your Info. Here’s a link. Some folks are calling this a ‘hack’, but that’s not really true. The groups were hijacked by way of an existing, perfectly legal and transparent feature within Facebook. All the ‘hacker’ did was search groups who’d had an admin leave, and then joined as an admin. This gave them the ability to change the name of the group. Once they had control, they left this note;
“Hello, we hereby announce that we have officially hijacked your Facebook group. This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly. For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:”
The message than goes onto urge people to take an interest in their security when it comes to social media. They warn that Facebook has many vulnerabilities, and state that users need to be keyed into that and aware of the risks. The hijacker promises to restore all groups back to their original state at the end of a week.
These guys (or this guy?) has my support. They’ve exposed a major vulnerability in a popular utility without exploiting or harming anyone. Sure, their tactics were a bit theatrical, but how else were they supposed to drive the message home to people? Maybe now people will realize how much of their image they put at risk by trusting sites like Facebook implicitly.
Facebook groups hacked through design flaw
Mashable reports that anyone can hijack a group on Facebook just by joining the group and registering as an administrator after the real admin has left. The group is then at the mercy of the “illegal” admin, who can change the name, edit the information, the picture, send messages to members – in short, he can abuse the acquired “power” by putting up offensive stuff.
There was a Facebook group by the name Control Your Info, whose members were going around and hijacking groups to try to raise awareness about the flaw, but it has been shut off by Facebook. Let’s hope they are also fixing the flaw.
Protesters hijack more than 200 Facebook groups
(CNN) — Hundreds of Facebook groups have been hijacked in recent days by users pointing out what they say is a weakness in how the social-networking site handles the administration of its groups.
By Tuesday morning, 286 groups had apparently been renamed Control Your Info and had a new message posted to their walls.
“Hello, we hereby announce that we have officially hijacked your Facebook group,” the message reads. “This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic].”
According to Control Your Info, when Facebook group administrators step down, anyone else can take over their duties — giving them access to members’ personal information, the ability to send messages to all members of the group and the authority to make changes to that group.
“For example we could rename your group and call it something very inappropriate and nasty like ‘I Support Pedophiles’ Rights,’ ” the message continued. “But have no fear. We won’t.”
Among the groups renamed “Control Your Info” on Tuesday were a “Twilight” fan group, supporters of a high school football team and patrons of a Virginia winery.
Facebook did not immediately respond to an interview request for this report.
The names of two Facebook users who have posted Control Your Info messages after group takeovers — Janis Roukkos and Bella Roregit — did not appear to have active Facebook accounts by mid-morning Tuesday.
A message on Control Your Info’s Web site blamed Facebook for shutting down the group’s fan page. Members of the group could not be reached for comment Tuesday.
The group, which offered only a YouTube account as contact information, disagreed with calling what it had done “hacking.”
“This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways,” the post reads. “Remember, control your info! Also, this project is strictly not for profit and done for a good cause.”
The group’s site contains pages of tips on protecting social-network users’ private information.
Not all members of the groups that were hijacked were taking the stunt in the spirit it was apparently intended.
“It’s pretty inappropriate and [expletive] you hijacked a facebook group for Palestinian rights to selfishly promote your little conspiracy theory page,” one user wrote. “I reported this to facebook and others should too.”
