Normally, if an admin attempts to remove the original page owner, Facebook sends a removal request that the owner must manually approve. This mechanism is designed to prevent unauthorized removals.
However, a new feature — Page Unpublishing
allows any admin to change a Page's status so it is hidden from the public, enabling them to make edits while the Page is unpublished and then republish it. If an admin attempts to remove the Page owner while the Page is unpublished, the system does not send the removal request to the owner; instead, the owner is removed immediately without their consent. In other words, the removal request is only issued when the Page is published.
impact
- The owner is removed permanently without their consent.
- The attacker gains full and persistent control of the Page without the owner's knowledge or approval.
Repro Steps
- The attacker is an admin on a Facebook Page owned by the original owner. 2. The attacker attempts to remove the Page Owner, but Facebook sends a request that requires confirmation from the owner. **To bypass this request:** 3. The attacker unpublishes the Page. 4. The attacker removes the Page owner. 5. The Page owner is removed immediately without any confirmation request.