UI grad student uncovers security issues at Facebook, Twitter

When University of Iowa computer science graduate student Shehroze Farooqi reads news headlines about Facebook and Twitter posts from dubious foreign accounts, or Facebook data grabs by politically affiliated companies, he’s not shocked.

From his office in MacLean Hall, Farooqi uses his knowledge of internet security and privacy to explore some of the darkest corners of the internet. Farooqi is a researcher first, but also serves as a sort of cyber sheriff, seeking out malicious hackers and collusion networks, and sharing tips with Silicon Valley giants Facebook and Twitter on how to shut them down.

“One of the things I like about my research is that it’s always a cat-and-mouse game,” says Farooqi. “The hackers or attackers will always come up with some new fraudulent activity, and then it’s up to myself and others to come up with a countermeasure. It’s like an escalated arms race.”

Farooqi’s work on Facebook fake “like” factories known as collusion networks earned him and his faculty advisor a top research prize at an international computer science conference in London in 2017. Their research uncovered a web of shadowy businesses that subverted Facebook security measures to provide fake “likes” to posts created by co-conspirators. Reputation manipulation, or the use of fake likes to boost trust on a social platform, is prohibited by Facebook, which tries to shut down such activities.

Before he published his research, Farooqi contacted Facebook engineers to alert them about the security loophole. After working with Facebook officials, and getting a behind-the-scenes look at running the world’s largest social media platform, Farooqi says he has a new perspective on the impact of his research.

“There’s definitely a feeling that I have to be really meticulous about my approach and that any assumption I make has to be very sound scientifically,” says Farooqi, who came to the UI in 2015 to study with Zubair Shafiq, an assistant professor of computer science and member of the UI Informatics Initiative. “When you’re advising Facebook on a new security measure, even a very small mistake could affect billions of internet users and you could quite literally break the internet.”

More recently, Farooqi has been examining “malicious” applications on Twitter, applications he estimates were used to manage fake and compromised accounts that spread malware and potentially fake news and misinformation to about 23 million Twitter users. Farooqi says he believes his Twitter research, which is ongoing, is the first to directly measure the impact of malicious third-party applications on the social media platform, which has about 330 million active users.

“What I found when I got into the research was that Twitter can’t find the malicious applications fast enough to take them down quickly, and so they stay up for several weeks,” Farooqi says. “And it’s during this time that they do their damage. By the time Twitter finds them and takes them down, it’s too late. Also, the groups that create the fake accounts are constantly creating new malicious applications to create even more fake accounts, so it’s a never-ending cycle.”

To address the issue, Farooqi developed artificial intelligence that identifies malicious tweets with 99.5 percent accuracy.

Last month, Farooqi shared his findings with engineers at Twitter and is awaiting a response.

“They are under considerable pressure at the moment to mitigate malicious activities on their platform,” says Farooqi, who points to a recently updated blog post from Twitter officials that outlines future actions to guard against malicious misuse of the platform, especially during election cycles. “I think my research could help them to reassure the public that they are doing the right thing.”

Farooqi says his next project most likely will continue to investigate the security aspects of Facebook and Twitter, as well as the use of third-party applications on mobile devices such as cellphones and tablets.

“I would like to dig even deeper into the privacy issues of these third-party applications because I still see them as a huge problem for data leaks such as the one executed by Cambridge Analytica,” he says. “I still feel that we don’t understand the proliferation of these applications well enough to ensure that the internet ecosystem is trustworthy. We have to ensure this trust before it is lost forever.”