Update 31.07.2020

Fanpage checkout tickets are now good to go! For more info, see this post.

Original message:

Until further notice, we’re halting all Fanpage listings for security reasons.

Just a few years ago, the hidden admin trick allowed malicious Fanpage sellers to regain control over a sold Facebook Fanpage, at a later on date. There were actually a few methods (most of them are patched now) that allowed old owners to regain access. The one I am personally familiar with was the disabled profile method. The method was quite simple, add an admin invite to a FB account you control, then disable the account. From the Fanpage end, you wouldn’t see the pending invite. Once the malicious seller sold the page he would simply reactivate the profile and the invite would show up again (and still be valid). As you can imagine, such exploits caused tons of people to become victims, as there was no easy way to defend against them.

It seems a similar method is back online, and we’ve just witnessed it working first hand. We don’t want to reveal the username of our SWAPD member who currently knows this exploit, but he helped us test and validate this method for which we’re thankful for.

What can you do to protect yourself?

Adding a business manager may help you keep your page, but you will still have a hidden admin in the background who will be able to change every setting of your page. So, with this particular method, you’re not safe just by adding a business manager. But we still recommend adding your page to your FB business, this way at least you won’t lose ownership.

Can you be removed as admin by a hidden admin?

Yes, once the 7-day rule passes, the hidden admin will be able to remove/add anyone he/she pleases.

What can we do to fix this?

Even though we were advised not to go public with it, we’re doing the exact opposite. Especially since we’ve found out that this was already reported to the bug bounty hunters over @Facebook and they’ve said they don’t consider this an exploit. Our admins already filed another report, we are waiting for a response.

How does the method work in detail?

Nice try. We will not reveal this.

How can I check if I have a hidden admin.

We are working on a tutorial and should have one ready by tonight/tomorrow. See also Goofy’s response.

So are Fanpage sales over on SWAPD?

No! We just need to make sure we find the most effective (and easy) way of checking for hidden admins so we can vet things during sales. We hope to have a solution really soon.

So, until then, all Fanpage listings are no longer valid. If you have any open tickets, you’re entitled to back out from them.

How does it work? Asking for a friend

Here are some points that we’ve taken away during the investigation of this:

Can I check if my Page has any hidden admins?

Yes. By transferring the Page ownership to your Business Manager, you should be able to see a complete list of admins, including hidden admins.

What do I do if I’ve bought a Page off SWAPD that has a hidden admin?

Contact me or any other administrator to have it reviewed.

Are there any ways I can find out if a Page has hidden admins before I purchase it?

You can ask the seller to link the Page to a business manager and have the complete access-list reviewed.

To be updated.

Also a good way of knowing right away is if the buyer is the only admin on the page and he tries to accept his own BM invite which is rejected by the 7-day rule. That means he really isn’t the only admin.

Is this new trick immune to page transparency, lately that’s what I mostly check to see whether there is something going on by the seller. If multiple role changes happened in the last month, I stay away from these pages. Anyways, hope to see that tutorial soon Be safe

Goofy like as we do simple ownership add our BM there and after that it shown admin like that, if i am only admin it will show me and if any other it will shows others too??

Goofy if you can have a small video on this it will be better so we can check out before selling or buying page that there is any hidden admin or not…the video must have 2 parts for buyer what they need to do before buying to see if there is any hidden admin or not and for sellers to see if their page has any hidden admin or not this will be much easier for buyer and sellers both to see their pages if have any hidden admins

Buy from me only

Update: We’re resuming sales tomorrow. Thanks to one of our awesome members we now have an easy way of checking for the hidden admin. We will train our staff tomorrow and resume Fanpage sales.

Today my page got hacked by this. Is there any way back?

Not that I am aware of.

Yeees

Forgive the delay, we’re running a little late. We will be ready to reopen Fanpages tomorrow!

Stop spending time with Yair. You are inheriting his qualities.

We are resuming Fanpage tickets now, all good to go. In case anyone is wondering what’s the simplest way of checking for a hidden admin, here is how.

How to check for hidden Facebook Fanpage admin?

While being an admin you need to:

• open Redirecting...
• click settings
• select page and click page roles

If there are any hidden admins, they will be seen in the creator studio. So, just compare the page roles in the creator studio vs. the regular page roles and you will be able to tell whether there are any hidden admins on your Fanpage.

IMPORTANT!

This ONLY works if there is no business owner (page owner) on the Fanpage. So, if you buy/sell pages and are getting ready to secure one, make sure the BM is removed by the seller before you test for hidden admins.

Also, another way of checking for hidden admins is through your own Facebook business. As long as you claim the page, you will see the hidden admins from business.facebook.com settings. The creator studio way is way easier and quicker, though.

@Administrators please like this post so I know that you’ve read the new addition to our transfer checkups. Thank you!

It’s funny how little attention this thread received. If SWAPD was live 6-7 years ago and we stopped Fanpage sales people would freak out. Now? No one cares for FB anymore (or should I say, not as much as they used to).