How Digg's API Exposed 159 Fake Accounts Digg Claims Were Internal Tests

A Digg community member, suspicious of some top links, used the site's Digg API to uncover a 159 fake accounts. By comparing the stories voted on by these accounts to other stories, he discovered what appeared to be directed fraud and what Digg now calls "tests to find spam vulnerabilities." We spoke to the community member to learn how he used the site's API and what he learned.

Mohanraj Thirumalai, or Mohan, is known on Digg as Lt. General Panda. He first became suspicious when Digg announced a change to its algoritm, something he said the company has kept secret in the past. So, he used the API to retrieve every story that made the Digg home page between October 1 and October 23, in order to get a good comparison between stories both before and after the change.

Techcrunch summarizes what Mohan found:

The 159 dummy accounts, which were given pathetically anonymous names, seem to have contributed systematically to submissions from Digg publishing partners, including TechCrunch. The suspicious activity seems to have started after the algorithm revision of October 15th, after which time a number of submissions (though by no means all front-page stories) were blatantly promoted by these accounts.

Mohan first attempted to reach out to Digg directly. When he didn't hear back in an hour, he published his findings. To add to his suspicion, the fake accounts stopped digging stories when he alerted Digg. "There was this one hour time period where only Digg and my wife knew about it," he said.

When we spoke to Mohan, it had been nearly 24 hours without a response from Digg. "If this is just an algoritm fine-tuning, why was there so much change?" he said. According to Mohan, Digg has proudly shared that it has monitors of suspicious activity. "If I was able to download this data and see this, why can't you do this?"

In a message later posted on the Digg blog, the company acknowledged that it owned the fake accounts:

As with many sites, we continuously run tests on the site to expose vulnerabilities in our own security. In this case, we did have a number of our internal test accounts Digging content from the Upcoming section of the site. We learned a great deal about some vulnerabilities in how users can inappropriately Digg stories into the home page. We have already made some changes over the last few weeks and are going to be making some other changes to the site this week to address a few of the issues we found. Similar to how good security companies try to break their own security, we have always tested and will always run tests to find spam vulnerabilities on Digg.

The company may have been understandably distracted by recent events. This week it laid off 25 employees, apparently including its Director of Communications. And while Digg could have been more open, the upside is Mohan's experience shows off the company's powerful API. This is a new era of transparency when even internal tests can't get past a developer and an API Key.

And this experience won't stop Mohan. He's currently working on tools for Twitter and Digg. "Mostly statistical stuff," he said.

Update: Mohan has responded to the Digg post.

Be sure to read the next Security article: The Web Overreacted to Facebook's Latest Privacy Issue