- Attacker convinced them they were a legit sponsor
- Attacker asked them to add my friend's own email address to their Business account as an admin
- Friend thought this was innocuous, they weren't already a day-to-day user of Business manager account so it seemed normal that they'd need to set their own account up
- When the Business invitation came to my friend's email address they added the "accept invite" URL to the Facebook profile at Attacker's request "to enable sponsorships"
- Attacker then clicked the link, accepted the invitation & had instantly taken over the Business account
The user never left Facebook & never entered anyone else's name or email address but when they published the accept invite link the attacker was ready to click it and there is apparently no auth protection on this URL.
It doesn't appear that Facebook will do anything unless their system automatically agrees that someone's personal Facebook account was hacked and that the change of ownership happened as a result of that. Anyone know how to get ahold of anyone?