Fake likes: Researchers uncover Facebook 'collusion networks'

Security flaw allowed at least a million Facebook accounts to generate more than 100 million "likes" and comments.

Michelle Meyers
Michelle Meyers wrote and edited CNET News stories from 2005 to 2020 and is now a contributor to CNET.
Michelle Meyers
2 min read
Social Media Illustrations and Donald Trump tweets

Are those real "likes" or fake ones?

Getty Images

You can't always judge a Facebook post by its number of likes.

That's one of the takeaways from a new study (PDF) documenting a security loophole that allowed at least a million Facebook accounts -- some real, some fake -- to generate more than 100 million "likes" and comments as part of so-called "collusion networks."

As reported by CBS News, researchers from the University of Iowa and Lahore University of Management in Pakistan uncovered "a thriving ecosystem of large-scale reputation manipulation services that leverage the principle of collusion."

The research was published Wednesday and will be formally presented at the Association for Computing Machinery Internet Measurement Conference on Nov. 1.

The research team found more than 50 sites offering free, fake "likes" for users' posts in exchange for access to their accounts. 

The collusion networks exploit OAuth code, which lets third-party apps like iMovie and Spotify access users' Facebook accounts.

Of course, the more likes a post gets, the more it gets pushed up in other people's feeds, ultimately bolstering attention to it and its influence. Authenticity has been a major issue for Facebook, which just Wednesday said it sold $100,000 worth of ads to inauthentic accounts likely linked to Russia during the election. It's also been working to combat fake news on the site and last month said it's blocking false news websites from advertising on Facebook.

On Thursday night, CBS News was able to enroll a fake Facebook account into a collusion network, granting it OAuth privileges through Apple's iMovie app. CBS News "watched as, within minutes, two posts from the brand new account gained dozens of likes," it said.

However, in a statement Friday, Facebook said it's blocked "the activity described in this research" and isn't seeing it anymore on the site.

"Meanwhile, we are investigating different techniques that could be used to generate inauthentic 'likes' in smaller volumes," the statement read.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.