Hundreds of Facebook groups 'hijacked'

Computerworld - An anonymous group calling itself "Control Your Info" has taken over hundreds of Facebook groups to highlight what it claims is a major security weakness on the social networking site.

Facebook downplayed the incident and said no hacking or confidential information was involved.

As of this morning, more than 200 Facebook groups had been hijacked and renamed Control Your Info. Pasted on each group's Wall was a message announcing that it had been "hijacked" and reminding members to be careful about controlling personal information on social networking sites.

"This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image," the message said.

"For example we could rename your group and call it something very inappropriate and nasty, like 'I support pedophile's rights,' " the message said, while going on to assure group members that Control Your Info wouldn't do that. The message also promised to restore each hijacked group's name by the "end of next week" and promised not to "mess anything up."

A separate Web site set up by Control Your Info claimed that the group's action did not constitute hacking but was a demonstration of how a legitimately available feature on Facebook can be used to easily hijack Facebook groups.

According to Control Your Info, when the administrator of a Facebook group leaves, anyone can register as a new administrator for that group. To take control of a Facebook group, a user only has to do a quick search on Google to identify public groups with no administrators.

Once someone signs up as a group administrator, that person then can do what it likes with the group, including changing its name, sending e-mails to members and editing information on it.

"This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own," the group urged.

In an e-mailed statement, a Facebook spokesman downplayed the incident and said there had been no hacking and no confidential information was at risk.

"The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group," the spokesman said.

The spokesman further stated that Facebook group administrators have no access to confidential information. Administrators can edit a group name, moderate discussions or send a message to members only in the case of small groups, the spokesman said. "The names of large groups cannot be changed, nor can anyone message all members," he said. In cases where Facebook finds that a group name has been changed inappropriately, it will disable those groups, which is what it plans on doing in this case, he said.

Read more about security in Computerworld's Security Knowledge Center.