Control Your Info, a group of four developers and designers, bought the capability to light in a posting on its website. A simple Google search throws up Facebook groups which have no administrators, it said.
"When you're the admin of the group, you can basically do anything you want with it. You can change its name, and the group's members won't even get a notification of it", the privacy collective advised. "You can send mails to all members and edit info."
Erik Hiort, one of Control Your Info's founders, argued that administrator roles shouldn't be up for grabs without restrictions. "There are several possibilities to solve this", he said. "Maybe only users who've been in the group for a predefined period should have the possibility to apply for the admin role?"
Facebook, which allegedly shut down Control Your Info's fan page, hit back at reports that groups on the service had been hacked.
"There has been no hacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group", Facebook said in a statement.
"Group administrators have no access to private user information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members. The names of large groups cannot be changed nor can anyone message all members. In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups."
However, Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, disagreed with Facebook. "It is a vulnerability, unless of course it's expected behavior for someone to take over someone else's group", said Grossman, who gave a presentation on application logic flaws at the Black Hat conference in 2008.
Although he said that the management of Facebook group administrator roles is likely to be more of an annoyance than a real security risk, he did acknowledge that it might be possible for someone to gain ownership of the group and then exploit the trust of unobservant group members by sending them malicious messages or application requests.