A research team from McGill University’s computer science school has published a research paper that demonstrates a way of creating as many fake “Likes” on Facebook as you want without using a botnet or an army of spammers. The team says, in the paper published on March 19 this year, that Facebook was alerted to the flaws two years ago but loopholes on the site still remain.
The McGill team is hoping that by making the bugs public, advertisers — who rely on Likes and pay for them — and users will realise that some articles aren’t actually as popular as the number of Likes would indicate.
The McGill paper will be of interest to Facebook spammers who, until now, have employed armies of low-paid workers in developing countries to create fake Facebook profiles. Questionable advertisers use these click farms to make themselves appear more popular than they actually are. Those click farms also pollute the fanbases of legitimate advertisers because the fake profiles add Likes to real brands in order to resemble real users. Advertisers who have paid to reach more people who might like their pages hate it, too.
Facebook has also been repeatedly sued by advertisers that claim their pages have seen too much click fraud. (There’s a proposed class action case pending in a California federal appeals court, for instance). While click fraud is NOT the same thing as fake Likes, plaintiffs’ lawyers are clearly interested in any information that might indicate that Facebook generates the appearance of something being clicked on when, in fact, it has not.
Facebook — which did not immediately respond to Business Insider’s request for comment — has battled fake likes for years. It has implemented a range of methods for weeding out fake Likes. The company periodically weeds out fake Likes in mass purges. Obviously, the company has no interest in tolerating low-quality clicks. “We maniacally optimise around return on investment for advertisers,” a source once told us about Facebook’s attitude to click quality.
The McGill method lets users create 100 fake Likes every 5 minutes by adding three essentially duplicate likes on every single post or shared article.
The McGill method simply takes advantage of Facebook’s existing mechanisms, which if used the right way, produces multiple duplicate Likes on the same post:
- Create a Facebook post with the target URL.
- Share the post just created.
- Add a comment to the post with arbitrary commenting content.
- Delete the post.
Crucially, deleting a post does not reduce the number of likes displayed by the original web page on which that Like button sits
“This procedure can generate three fake likes a time. By repeating it, we manage to generate 20 fake likes per minute (without violating Facebook’s rate limit),” say the McGill authors, Xinye Lin, Mingyuan Xia, and Xue Liu. The team also says Facebook has been lax in fixing the flaws:
We reported these flaws to Facebook on Feb. 15th, 2013, and expressed our intention to collaborate on helping fix these flaws. The Site Integrity Team of Facebook replied on March 4th, 2013 acknowledging these flaws, quoting “… it’s an inherently insecure design. But right at the moment, they need to spend more engineering time than research collaboration (to fix them) …”.
… However, we found that several of the original flaws we discovered more than two years ago are still out in the wild…
The procedure can be automated via Facebook’s Like API with just 20 lines of Python code, the McGill teams says, referring to the way programmers are able to plug directly into Facebook’s systems.