his security is intended to prevent any admin from removing the owner without their consent.
Normally, if an admin attempts to remove the original page owner, Facebook sends a removal request that the owner must manually approve. This mechanism is intended to prevent unauthorized removals.
However, there are two main flaws in this system:
1. No limit on repeated page deactivation: there are no restrictions on how many times the page can be deactivated and reactivated. 2. Automatic approval after 30 days: if the owner does not respond to the admin removal request within 30 days, Facebook automatically approves the request and removes the original owner.
### Exploitation Method
An attacker can exploit these two issues together using a simple Python program that repeatedly deactivates the page every few seconds (for example, every 15 seconds) for a full month.
Because the page remains deactivated:
* The removal notification disappears each time the page is deactivated or the request is rejected. * The page owner cannot access the page to reject the request. * If the owner attempts to reactivate the page, they are immediately logged out again by the attacker's script.
After 30 days:
* The system automatically removes the original owner. * The attacker gains full, permanent control of the page. * This happens without any action or consent from the victim.
Reproduction Steps
1. The attacker is an admin on a Facebook Page owned by the original owner. 2. The attacker removes the owner. 3. The system sends the removal request to the original page owner. 4. Facebook notifies the owner: "The attacker requested to remove you from this Page. This request will be automatically accepted in approximately 30 days if no action is taken." 5. The attacker runs the script that deactivates the Page every 15 seconds. 6. While the Page is deactivated:
- The removal notification disappears from the owner's account.
- If the owner tries to reactivate the Page, the script immediately logs them out again.
7. After 30 days, Facebook automatically accepts the request, and the original owner permanently loses access.