Hundreds of Facebook Groups Hacked


(Update UTC 2100: I’ve received a reply from Erik Hjort af Ornäs, the registrar of the site itself, and have included his statement below and in the comments, as well as that of Facebook. Both deny any hacking took place)

A hacker, or group of hackers, has found a back door into taking over Facebook groups, and is now doing so, claiming it to be a public service. It has taken over up to 300 different Facebook groups so far.

This is an example of one:


On each of them the group name is changed to Control Your Info, the group logo changed and its description is altered to

Hello, we hereby announce that we have officially hijacked your Facebook group.
This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.
For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:
Think about the safety in your social media life to the same extent you do in your real life.
Watch the videoclip for more information or check out for more tips soon!
We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.
Best regards

A message is then sent to all members of that group.

The method is explained on the hackers’ website:

Facebook Groups suffer from a major flaw. If a administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.

When you’re admin of a group, you can basically do anything you want with it. You can change it’s name, and the groups members won’t even get a notification of it. You can send mails to all members and edit info. This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own and not a spammers. This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways. Remember, control your info! Also, this project is strictly not for profit and done for a good cause.

It’s not clear to me how they search on Google for recently departed admins, but I’m sure it’s relatively easy.

Neither is it clear who is behind the website itself. The site is registered to one Erik Hjort af Ornas of Stockholm. I’m emailing him to seek more information. Here is his statement:

Our main goal is to draw attention to questions concerning online privacy awareness.

We have seen too many examples where friends and relatives of ours have suffered from their lack of in-depth knowledge concerning their online presence. After some research we discovered  this is a wide spread problem. People have even lost their jobs over Facebook content. So we wanted to do something about this.

Our method of choice only serves the purpose to prove our point and put emphasis on how easy it is to lose track of a part of your online presence. If we wouldn’t have communicated this way, our message would probably have fallen into oblivion the moment it got out.

So, what exactly did we do and how?

We discovered that many groups on Facebook are left without an administrator. All we needed to find these groups was one quick Google search. The search results also revealed many groups that already had been hijacked by various people. Their intentions remain unclear.

So we simply joined 289 open groups and made ourselves administrators. We did not hack anything. Once we were administrators we owned the groups and could have changed any setting. We chose to change the picture, the name and the description of every group. Our intention was and is to restore these groups to their original form and find a suitable admin among the members. To be able to do this, we first backed up all the data we wanted to replace.

During the process we broke the terms of service, as defined in the Statement of Rights and Responsibilities of Facebook, and were rightfully banned:

§ 4.1  “You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission”.

We created fictive accounts for one reason: we wanted to put focus on our message rather than our persons. It also eased the process of joining and administrating this large number of groups.

Facebook is apparently not aware of this bug in their software. In response to an emailed query, .Facebook claims there is no bug in their software, that any hacking took place, nor, apparently, that there was any mass takeover of groups. According to a spokesperson:

There has been no hacking and there is no confidential information at risk.  The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.  Group administrators have no access to confidential information and group members can leave a group at any time.  For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members.  The names of large groups cannot be changed nor can anyone message all members.  In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

My comment on this: 300-odd Facebook accounts hacked—or usurped, or hijacked, or whatever you want to call it—is not a ‘rare instance’. What’s more, the groups I checked were very much still active. I frankly don’t find the Facebook response particularly helpful or reassuring.

It’s hard to see how this public service helps—the group, or individual, should be approaching Facebook and helping them plug the hole. This tactic is likely to sow confusion and fear among the Facebook populace, and possibly lead to the erasure of some treasured data on those defaced groups.

The Strange, Short Life and Death of ‘My Private Folder’

Microsoft has introduced a new application for Windows XP users, and even more quickly, killed it off. The app was free, but what was the company thinking?

A piece by Mark Hachman and Natali T. Del Conte at PCMag on Friday says that “If you’ve heard of Microsoft Private Folder 1.0, forget it. As of 2:30 p.m. Pacific Time on Friday, it no longer exists. Microsoft quietly added the free encryption utility earlier this month, and then just as quietly deleted it. The utility allowed users to encrypt and store files inside a private folder.” Cute, and according to Microsoft designed as a benefit (read: inducement) to customers who allow their computers to be verified as running an unpirated copy of Windows.

The trouble is, the program doesn’t work. Or as a Microsoft spokesperson puts it: “we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback we are removing the application.” The problem, according to Microsoft is that if you forget the password there’s no way back into the files you’ve encrypted (such services usually use a key management system called EFS that allows system administrators to retrieve files if necessary.)

But actually the problem was more serious than that. According to a note posted to the bottom of the story, the application runs a service in the background to allow encryption/decryption, which slowed the system to a crawl by apparently using more than 90% of the CPU. And while some network administrators have worried that they would be inundated with users’ pleas for help after forgetting their passwords actually the problem seems to lie more in the poor software itself — users reporting losing files, spontaneously rebooting and corrupting the encrypted files

Maybe the biggest blow, however, is that the files aren’t really hidden. For one, the folder installs itself onto the desktop, a big bright shining “My Private Folder” visible to everyone (this can be deleted). For another, Humphrey Cheung at TG Daily reports that by booting into Safe Mode a user is able to see all the files in My Private Folder. (This could also be done by simply uninstalling the application.) They remain encrypted but if someone really wanted to, they could examine the files with a hex editor to pluck out any interesting looking stuff. Even the file names might be revealing enough.

So the spokesperson was right in saying “around manageability, data recovery and encryption”. But why did Microsoft release something, however small and toylike, that was so fraught with problems, bugs and silliness?

Tamiflu and the Online Buying Epidemic

Sadly, this might be the way of the future: Selling prescription drugs that everyone wants in the middle of a pandemic to the highest bidder. The Register reports that people have been selling Tamiflu on eBay for up to four times its usual price:

Internet auctioneer eBay has shut down sales through it service of Tamiflu, which can help reduce the severity of avian flu, amid growing concern of a potential pandemic that could kill humans. An eBay spokesperson told The Register that the company had pulled a handful of listings from its UK web site, because the sales contravened eBay’s policy over the sale of controlled substances and prescription drugs.

eBay acted as packets of Tamiflu, which comprise 10 capsules, had reached £104 and attracted 84 bids. Tamiflu is usually available through prescription only, for between £25 and £30.

(I’m not quite sure who to credit for this story: A very similar account appears on ZDNet, quoting Reuters.)

Another story from AFP (via Singapore’s TODAYonline), highlights some of the dangers of this kind of thing. It quotes David Reddy, a senior executive at Tamiflu’s maker, Roche as saying he had heard heard of reports of Internet sales “of a drug that was purported to be Tamiflu but in fact was not.” He declined to give details until the matter had been investigated. A Taiwan newspaper, meanwhile, catalogues a Tamiflu buying frenzy since August.

Microsoft DVDs and the Elusive Truth

What’s true and what’s not? Not that easy to ascertain these days (not that it ever was particularly easy) with blogs and all that. This piece from The Business has, as you might have read, been roundly condemned as untrue: Microsoft invents a one-play only DVD to combat Hollywood piracy :

COMPUTER software giant Microsoft has developed a cheap, disposable pre-recorded DVD disc that consumers can play only once. The discs would give Hollywood increased control over the release of new films and allow consumers the chance to watch a film at the fraction of the price of an ordinary pre-recorded DVD. More important, the discs would prevent copying and digital piracy, which is costing the film and music industry billions in lost revenues.

Despite being widely cited, it has been shot down by Scoble and others. Not only has it been called incorrect, but also a “hoax”. Not the kind of thing a publication seeking a reputation would like to hear one of its front page stories called. After all, The Business is owned by the Barclay brothers, “who have other publishing interests in The Scotsman, Scotland on Sunday, Edinburgh Evening News, The Daily Telegraph, The Sunday Telegraph and The Spectator magazine”, according to the website.

So were the doubters right, or a tad quick with their ack-ack fire? I contacted the author, business editor Tony Glover, who says the online publication “stand[s] by the story 100% and will be running a follow-up on Sunday naming sources”. As it’s only Friday we’ll have to wait, but I’m more interested in the ping-pong this story throws up, and the difficulty readers have in ascertaining the truth. Is Scoble a Microsoft source? Is the fact that a Microsoft spokesperson “concludes” the story is not true, is it not true? I’m agnostic on whether the story is true or not (a fancy way of saying I don’t really care). But I think certain basic journalistic standards apply here. Such as

  • Someone writing the story should get an official comment on the assertion, and include that comment, or non-comment in the piece. Not to do so on anything remotely controversial is a professional lapse. To do so shows you’ve at least tried to get the story confirmed.
  • People citing, picking up or linking to the story should make their source clear, in a link and a mention of the source. Not to do so leaves the writer vulnerable should the story not be true, but, more importantly, gives the reader a chance to judge for himself the veracity of the story. (It would also help, in the case of obscure publications, to include some background on the source to assist the reader in this.)
  • When a writer finds a story they believe to be untrue, they should try to contact the author for comment when publishing their ‘knock-down’ story. At the very least, they must show they have authoritative sources who contest the story’s accuracy or veracity (not the same thing) and make this clear. They might also choose careful language which allows for the possibility of gray between the black and the white — “source X said he knew of no such meeting/product/agreement”, or “company X denied the story and said on the contrary it had no plans for xxxx”. Saying something is a hoax/has no truth to it/is bogus without enclosing the comment in quotes is not only a tad extreme, it’s not good journalistic practice. Imagine if someone did it to you.

Let’s see what Mr. Glover and The Business come up with on Sunday. Maybe all this is a storm in a teacup and we’re all comparing apples and oranges. But I’m all for a bit of temperance on the part of journalists and bloggers alike when dealing with the truth or lack of truth of another person’s story. Let he who casts the first stone be dang sure his version is pristine white.

Pentagon Scraps Internet Voting Plan

Further to earlier postings about security fears for a new Internet voting system for overseas Americans, AP is quoting an anonymous official as saying the Pentagon has scrapped the plan. CNET attributes the same story to a spokesperson for the Pentagon.

AP quoted the official as saying Deputy Defense Secretary Paul Wolfowitz made the decision to scrap the system because Pentagon officials were not certain they could “assure the legitimacy of votes that would be cast.” CNET quoted a spokesperson as saying pretty much the same thing:  “The action was taken in view of the inability to ensure the legitimacy of the votes cast.” 

About 6 million U.S. voters live overseas, most of them members of the military or their relatives. Pentagon officials had said they still planned to use the system, called SERVE, this fall and would test it during last Tuesday’s South Carolina primary. But the day before the voting the Pentagon called off the South Carolina test. CNET says the Defense Department is not completely dropping the idea: “Efforts will continue to look into all technical capabilities to cast votes over the Internet,” the spokesperson was quoted as saying.