OAuth security flaw on Facebook is allowing accounts to generate millions of fake likes and comments

A security flaw has allowed thousands of Facebook accounts, both real and fake, to generate millions of fake ’likes’ and comments by entering into “collusion networks”, claims new research. [caption id=“attachment_3887701” align=“alignleft” width=“380”] Representational Image. Reuters.[/caption] This thriving ecosystem of large-scale reputation manipulation services on Facebook leverage the principle of collusion said the researchers from the University of Iowa in the US and Lahore University of Management Science in Pakistan. The researchers found dozens of sites that operate the so-called collusion networks, which rapidly generate users’ ’likes’ for free, CBS News reported this week. While the researchers looked at top 50 networks, they believe that many more could exist. In order to participate, users have to grant the networks wide-ranging access to their accounts, so that those accounts can be harnessed to ’like’ others. The networks exploit code **known** as OAuth, which allows third-party applications such as Spotify, iMovie, and the Playstation Network to access users’ Facebook accounts from anywhere between a few hours to even months at a time. But the exploit can be used for darker purposes than just gathering extra ’likes’, the researchers warned.“In addition to reputation manipulation, attackers can launch other serious attacks using leaked access tokens. For example, attackers can steal personal information of collusion network members as well as exploit their social graph to propagate malware,” the researchers said. The researchers told CBS News that they tracked the collusion networks in the run-up to **the 2016 presidential election**, but could not say whether the networks were used to boost posts to benefit or hurt candidates. “We do want to examine the Russia question,” study co-author Zubair Shafiq from the University of Iowa was quoted as saying. The collusion networks have now been blocked, according to Facebook. “We have addressed the activity described in this research and we are no longer seeing it on our platform,” a Facebook spokesperson was quoted as saying.