If a Facebook Page is not connected to a Business Portfolio, admin roles are managed solely through the standard Page Roles interface on Facebook. If an admin tries to remove the original Page owner, Facebook sends a removal request that the owner must manually approve. This mechanism is meant to prevent unauthorized removals.
However, a logic flaw allows any existing Admin on the Page to bypass this security requirement. By adding the Page to their own Business Portfolio,the Page appears with "Review Needed", and the attacker can open the Page details, view the list of people with access and *Not in business portfolio*
and remove the original owner directly — without any approval or notification being sent to them.
Repro Steps 1. The attacker is an Admin on a Facebook Page that is owned by the victim and not linked to any Business Portfolio. 2. The attacker attempts to remove the Page Owner, but Facebook sends a request that requires confirmation from the owner. 3. To bypass this, the attacker goes to: `https://business.facebook.com/latest/settings/pages?business_id=[attacker_business_id]` 4. The attacker adds the victim's Page to their own Business Portfolio. 5. The Page status changes to "Review Needed". 6. The attacker clicks "Details" next to the Page. 7. Under the "Not in business portfolio" section, the victim's account appears with options to "View" or "Add". 8. The attacker clicks "View" next to the victim's account and selects "Remove access". 9. The Page Owner is removed immediately without any confirmation request.