Technical Perspective: Fake 'Likes' and Targeting Collusion Networks
By Geoffrey M. Voelker
Communications of the ACM, May 2020, Vol. 63 No. 5, Page 102 10.1145/3387722
The following scenario might sound like fiction. You and a million of your closest Facebook friends are going to band together to artificially improve your social networking reputation. You will willingly give a reputation manipulation service such as "official-liker.net" authorized access to your Facebook account. The manipulation service will cleverly exploit an authentication vulnerability in third-party Facebook apps to automate actions with your account. To use the service, you will view ads or pay explicit fees. The service will then use your account to "like" another Facebook account under their control—and that account will "like" yours back. You and others gain fake "likes," presumably improving your perceived online social standing, and the reputation service makes a profit.
But this scenario, and the problem it presents to Facebook and other successful online social networks, is both a very real and challenging problem: How to completely undermine this abusive activity without negatively impacting your users (who are knowingly and entirely complicit in the abuse) or changing how apps authenticate (because that would add friction to the app ecosystem).
The following paper presents a rigorous study that explores this reputation manipulation ecosystem, ultimately working with Facebook to examine ways to stop this kind of large-scale online social networking abuse. The manipulation services are called collusion networks since the users who knowingly participate collude with each other to generate fake actions. In their work, the authors describe how to use honeypot accounts to infiltrate the collusion networks and reveal how they operate. The authors detail how the collusion networks take advantage of an authentication vulnerability using leaked access tokens to perform their actions, and comprehensively measure the extent and activity of the collusion networks they find. Who would do this? Over a million Facebook users. How many apps are vulnerable? More than half of the top 100 third-party Facebook apps. How many services are exploring this unexpected business opportunity? More than 20 such services. Finally, can these collusion networks be safely and effectively shut down? Yes.
As a final effort, the authors performed a series of careful interventions with Facebook against these services. Consider the defensive perspective of the online social network. Companies know which accounts are using collusion networks, which apps are being exploited to perform collusion, and who the collusion networks are. But services cannot shutdown the user accounts: the users are legitimate, and services want them to continue to use the platform. They also cannot shutdown the apps, or how apps perform authentication: the apps have millions of legitimate users, and ease of app development relies upon the client-side token-based authentication. ... "
No comments:
Post a Comment