“Technical Perspective: Fake ‘Likes’ and Targeting Collusion Networks”
Communications of the ACM, May 2020, Vol. 63 No. 5, Page 102
By Geoffrey M. Voelker
“[This article is an overview of a] paper [that] presents a rigorous study that explores the reputation manipulation ecosystem, ultimately working with Facebook to examine ways to stop this kind of large-scale online social networking abuse.”
The following scenario might sound like fiction. You and a million of your closest Facebook friends are going to band together to artificially improve your social networking reputation. You will willingly give a reputation manipulation service such as “official-liker.net” authorized access to your Facebook account. The manipulation service will cleverly exploit an authentication vulnerability in third-party Facebook apps to automate actions with your account. To use the service, you will view ads or pay explicit fees. The service will then use your account to “like” another Facebook account under their control—and that account will “like” yours back. You and others gain fake “likes,” presumably improving your perceived online social standing, and the reputation service makes a profit.
But this scenario, and the problem it presents to Facebook and other successful online social networks, is both a very real and challenging problem: How to completely undermine this abusive activity without negatively impacting your users (who are knowingly and entirely complicit in the abuse) or changing how apps authenticate (because that would add friction to the app ecosystem).
The following paper [see: Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks] presents a rigorous study that explores this reputation manipulation ecosystem, ultimately working with Facebook to examine ways to stop this kind of large-scale online social networking abuse. The manipulation services are called collusion networks since the users who knowingly participate collude with each other to generate fake actions. In their work, the authors describe how to use honeypot accounts to infiltrate the collusion networks and reveal how they operate. The authors detail how the collusion networks take advantage of an authentication vulnerability using leaked access tokens to perform their actions, and comprehensively measure the extent and activity of the collusion networks they find. Who would do this? Over a million Facebook users. How many apps are vulnerable? More than half of the top 100 third-party Facebook apps. How many services are exploring this unexpected business opportunity? More than 20 such services. Finally, can these collusion networks be safely and effectively shut down? Yes.
About the Author:
Geoffrey M. Voelker is a professor in the Department of Computer Science and Engineering at the University of California San Diego, CA, USA.