Fakes as Likes and Dislikes as Likes:

A Comprehensive Study of the Flaws of the Facebook Like System

The initial work of this project was conducted from September 2012 to December 2012 in the Cyber Physical System Laboratory in the School of Computer Science at McGill University. By December 2012, we had identified a series of flaws associated with the design and implementation of the Facebook Like system. We reported these flaws to Facebook in February 2013, and expressed our intention to collaborate on helping fix them. The Site Integrity Team of Facebook replied in March 2013 acknowledging the inherently insecure design, but they need to spend more engineering time than research collaboration. After that, we submitted some of the research findings to one of the most famous convention – DEFCON, under the title of "Are You Really Liking It When You Use the Facebook Likes" in May 2013, and the paper got accepted in late June 2013. Later, because we could not go to present at the conference, we had to retract the paper from the conference.

Over the past two years, Facebook has made continuous progress fighting with fake likes. Facebook released patches and improvements to the Like button API and fixed some of the major flaws. In the mean time, the Like button has become the de facto standard for the users to show their fondness of a particular online content, and been used as a widely-accepted metric to measure the popularity of a webpage. Even more interesting, it has been associated with the economic benefits and interests to the providers of the contents / underlying business. There are reports stating that a single Facebook like is worth as much as $174 to the business [1, 2].

However, we recently found that several of the flaws we discovered are still out in the wild. We recorded 3 demo videos to illustrate these flaws and potential threats. For example, these flaws could be used by online spammers to generate massive amount of fake Facebook Likes for profits, impeding the common interest of both social network users and legitimate advertisers. This may endanger the ecosystems on the Internet which leverages on the Facebook API. Also, we show these fake "likes" can be easily generated in an automatic fashion at very low cost. As another example, we show some of the flaws also lead to the increase of Facebook Likes even when legitimate users are making negative comments and expressing dislikes (or even disgusts) of the associated online content. These findings surprise most people.

We discover that a large number of the online websites, including famous ones like Yahoo, abcNews, HuffingtonPost, FoxNews, ESPN, BillBoard, etc., are affected by these flaws. Given the fact that Facebook has become an integral part of our everyday digital lives, and is the dominant online forum for social networking, these flaws may have potentially large negative impacts and consequences to our online community. We all love Facebook. We hope by making public our research findings together with several video demos can help raise the awareness of these flaws and potential consequences. We hope these efforts can contribute to the research and solutions of building a truthful and healthy online social ecosystem.

[1] David Cohen, Syncapse: Each Facebook Like Is Worth $174 To Brands, retrieved on March, 4th, 2015 from http://www.adweek.com/socialtimes/syncapse-like-174/418690

[2] Courtney Kettmann, Is a Facebook “Like” Worth $174? Probably Not, retrieved on March, 4th, 2015 from http://www.wired.com/2013/07/is-a-facebook-like-worth-174-probably-not/