Facebook's Like button can still easily be gamed

Facebook's Like button is a pervasive feature of the Web, a way to gauge the popularity of a website or piece of content. But researchers have found it's easy to inflate the numbers, undermining its value as an accurate measure of popularity.

The problem of bogus Likes has been around for some time, and Facebook has released updates to its software over the last couple of years to cut down on fraudulent ones generated by spammers.

But researchers with McGill University's School of Computer Science in Montreal say the social networking company still hasn't fixed several major problems with the feature. This week, they released a research paper outlining the problems, which they first told Facebook about in early 2013.

"Those Like numbers may be faked," said Xue Liu, a professor of computer science at McGill, in a phone interview. "There are easy ways to generate those fake Likes, and unfortunately on the Internet, a lot of companies and economic benefits are related to the number of Likes now."

Facebook officials couldn't be immediately reached for comment. The research is important because companies may be making marketing spend decisions based on Likes. There are thriving marketplaces for people to buy fake Likes, which can cost around US$30 for 1,000.

Also, average Facebook users may not be aware of exactly what kind of actions generate a Like. It's generally assumed that a single user can only generate one Like, but that's not actually the case. Sharing a link on Facebook from a source with an embedded Like button increases the count by one.

If the same user comments on the post, the Like button continues to rise. A demo video shows how a spammer could write a script that posts a piece of content on Facebook and then adds nonsensical comments, each of which causes the Like count to tick up once.

In that example, 30 Likes were quickly generated. The researchers found it was possible to generate up to 20 likes per minute by creating a post, adding fake comments, deleting the post and repeating. Those actions didn't trigger a rate-limiting feature in Facebook that might have frozen the account for a while.

The flaw has been around for years and is apparently rooted in outdated Facebook APIs that are still used by many websites, including CNN, ABC News, The Huffington Post and The Economist, according to their research paper.

What's useful about their method is that it can generate a high number of Likes using only a single account. It means that spammers wouldn't need to take the time and expense of creating a high number of zombie accounts that would likely be detected and removed by Facebook.

Another demonstration video shows how a Like -- which is essentially a soft endorsement -- can appear out of context and may actually be contrary to a user's real opinion.

The researchers created a fake Web page for demonstration purposes that promoted disgraced investor Bernard Madoff. The website had an embedded Like button. If the site's URL was shared on Facebook, anyone who commented on it would increase the page's Like count, even though it's doubtful anyone would truly endorse it.

But people who visited the Web page would have seen an ever-rising Like count, giving the impression that the site is worthy. Other large online services, such as YouTube and Quora have worked around this contextual problem by adding "dislike" or "downvote" buttons.

The researchers also found if a Facebook user deletes a post, the Like count doesn't correspondingly drop.

Facebook wraps a lot of data into the little number next to the Like button. The company is straightforward about it in its documentation, saying that a Like includes not only the people who hit the button, but also the number of times the URL has been shared and the number of comments. But some people may not know that.

The paper was also co-authored by Xinye Lin and Mingyuan Xia of McGill's School of Computer Science.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk