7

Suppose I have a team or organization managing a single twitter account and a single facebook page. Different users need to be able to post content to the same account. How can I minimize the risk of this account being compromised?

In my opinion, the ideal scenario would be (1) multiple users having posting permissions, and no user having admin permissions, combined with (2) posting to the account indirectly, via a service that can be used only to post but not to change settings.

I can achieve this with Twitter: The account is never used from any browser or app. The password is stored in a safe place offline. Each user has set up a Tweetdeck account and associated the twitter account with it. This way they can post to twitter, but can't change the original twitter password or any other setting. If someone unauthorised gains access to the tweetdeck account of any team member, the worst possible outcome would be tweets. If the original twitter account is hacked, or the password forgotten, the usual account recovery takes place. As the original account is used only indirectly, it is in fact less insecure than an account used frequently.

This approach also helps in the case of hit by a bus: the email used for twitter account is an email account belonging to the organization, so getting account recovery info is trivial.

It doesn't occur to me a similar approach on Facebook (or other social networks where there's a secondary profile linked to a personal profile. I think Google Plus also behaves that way)?

In Facebook, at least one user has to be admin of a "page". The admin credentials are linked to the daily-use personal account. If this personal account is compromised, the entire page is compromised. Multiple users can be admins, but it will only multiple the risks, as a single admin can remove all other admins.

Combine this with the immense number of malware and xss attacks aimed at facebook, as well as fake login screens and social engineering attacks.

1) Is my assumption and approach to posting on twitter correct or flawed? 2) If (1) is correct, how to proceed about posting to FB?

Community
  • 1
That Brazilian Guy
  • 521
  • 5
  • 14

4 Answers4

4

In this case, I wouldn't try to roll my own solution per platform, since there are tools designed specifically to manage team access to social media accounts. HootSuite, for instance, has a number of team management features. All you have to do at that point is manage access to HootSuite, not Twitter and FaceBook and anywhere else you might have accounts. For options other than HootSuite (which I don't personally use, so can't vouch for) try a search using a term like "social media marketing management tools for teams" or something similar.

Xander
  • 35,525
  • 27
  • 113
  • 141
3

I would recommend having a single user entitled to do the actual posting, and serving as proxy for all others. This allows him to avoid collisions (two of the posters posting the same thing almost simultaneously). To prepare for the untimely demise of that specific user, a backup of passwords is kept in a safe place (preferably, in a safe).

A secret which is shared by more than two people is no longer a secret, so don't share passwords.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    That would work fine for twitter, as there's a password *only for the organization account*. On FB, the personal user password is used to control the organization's page, and asking for personal passwords might even be ilegal on some countries. – That Brazilian Guy Mar 15 '13 at 15:41
2

how to proceed about posting to FB?

Adding to other answers i would like to say that even with facebook pages you have some additional options like having a content creator or a moderator for your page.

  • These people can post on behalf of the page or they can act as moderators
  • They do not have permission to manage admin roles. They can not remove other admins.

this link will give you more details about different kinds of facebook page admins and things they they can/cannot do.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
1

First, you should understand that fb or twitter or any other social networking site is NOT made with the concept of RBAC.

All the features you have mentioned in your question cross-ponds to the RBAC features (e.g privileges to edit/add,read only etc).

There are workarounds (e.g twitterdock) which you mentioned yourself,but i know many social PR firms have facebook page as their website alternative pages, and they let one man / role do all the site management task.

Saladin
  • 1,547
  • 3
  • 14
  • 23