"Collusion network" Facebook flaw leads to millions of fake "likes"

Researchers say a security loophole has allowed at least a million Facebook accounts, both real and fake, to generate at least 100 million "likes" and comments as part of "a thriving ecosystem of large-scale reputation manipulation."

The researchers, from the University of Iowa and Lahore University of Management Science in Pakistan, found dozens of sites that operate so-called collusion networks, which rapidly generate users' likes for free.

Facebook posts that rapidly receive a lot of likes are more likely to be placed higher in other people's feeds, meaning users buoyed by fake likes can ultimately generate significantly more real attention and influence.

In order to participate, users have to grant the networks wide-ranging access to their accounts, so that those accounts can be harnessed to like others. 

A screengrab shows the Facebook permissions accessed by a so-called collusion network that exploits the iMovie app on the social media platform. CBS News

The networks exploit code known as OAuth, which allows third-party applications such as Spotify, iMovie and the Playstation Network to access users' Facebook accounts from anywhere between a few hours to even months at a time. 

Researchers warn the exploit can be used for darker purposes than just gathering extra likes.

"In addition to reputation manipulation, attackers can launch other serious attacks using leaked access tokens. For example, attackers can steal personal information of collusion network members as well as exploit their social graph to propagate malware," they write in their forthcoming paper.

In an interview with CBS News, the researchers said they tracked the collusion networks in the run-up to the 2016 presidential election, but couldn't say whether the networks were used to boost posts to benefit or hurt candidates. They said their research was just scratching the surface.

"We do want to examine the Russia question," said co-author Zubair Shafiq, who added that while they only looked at the top 50 networks, many more exist. "These collusion networks are quite possibly involved in orders of magnitude much larger than what we observed."

Troll farm bought $100K in Facebook ads

Facebook acknowledged Wednesday that hundreds of phony accounts that appear to have originated in Russia bought $100,000 in advertisements during the 2016 U.S. presidential campaign and in the months following the election. It is not clear if the ads, or other false stories shared during the election, were boosted through influence networks.

The researchers revealed their findings to Facebook in May 2016, ultimately working with Facebook to implement countermeasures to combat the networks. 

Facebook said in a statement to CBS News that the collusion networks have now been blocked.

"We have addressed the activity described in this research and we are no longer seeing it on our platform. Meanwhile, we are investigating different techniques that could be used to generate inauthentic likes in smaller volumes. We will take the appropriate action to help ensure that connections and activity on our service are authentic," a Facebook spokesperson said.

However, on Thursday night CBS News enrolled a fake Facebook account into a collusion network — granting it OAuth privileges through Apple's iMovie app — and watched as, within minutes, two posts from the brand new account gained dozens of likes.

Shafiq said Facebook at one point sought to bar publication of the research, citing non-disclosure agreements. The company later agreed their paper could be submitted to the Association for Computing Machinery Internet Measurement Conference, where it will be presented on Nov. 1.

"After the presidential election, in roughly February of this year, we actually had some resistance to publishing this paper," Shafiq said. "I want to mention that our initial research was independent of Facebook, and then Facebook said that they didn't want it to be published."

How scammers on Facebook are using your friends' identities

The news of networks gaming Facebook's likes comes after the company saw a torrent of revelations related to flawed metrics and fake users on the social network.

In April, Facebook purged tens of thousands of fake accounts that had liked media pages as part of a wider strategy to appear real while spamming users, and it removed 30,000 accounts — allegedly tied to Russian influence operations — in the run-up to the French national election in May.

In 2016, the company announced that it undercounted the traffic of some publishers and for more than a year over-reported time spent on Facebook's Instant Articles platform. It acknowledged issues affecting a range of metrics — including ad reach, streaming reactions, likes and shares, and admitted that for two years it reported to advertisers overestimated figures for the average time users spent watching videos on its platform.

The disclosures in 2016 led to a putative class action lawsuit, which was filed by a Facebook investor in January. 


Got news tips about digital privacy, social media or online marketing? Email this reporter at KatesG@cbsnews.com, or for encrypting messaging, grahamkates@protonmail.com (PGP fingerprint: 4b97 34aa d2c0 a35d a498 3cea 6279 22f8 eee8 4e24).

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.