Alessio has reported security vulnerabilities to Google and Apple. He also has a past as a web developer and web server administrator.
Using Fake Facebook Profiles
Most people know that creating fake Facebook profiles is not always legal. Indeed, it can violate the social network’s terms of service. You must always use Facebook with a real name without impersonating other people. Still, there is a specific situation in which not only can you create fake Facebook profiles but enjoy using the social network in total anonymity, without even being flagged by Facebook’s anti-spam algorithm.
Does it sound weird that social network allows such accounts to be created? The truth is that not only it is possible, but the same Facebook has a specific procedure to make these kinds of anonymous, invisible, and undetectable accounts.
Main Aspects of Invisible Accounts
You may wonder about the existence of this particular category of Facebook accounts. Yet, it is real, and these kinds of profiles have specific characteristics that make them different than regular accounts. Below are the main features of Facebook invisible profiles:
- They do not need an email address. Facebook generates a specific email address for you so that you are not going to associate the profile with your actual data;
- They carry a random name. This means your account is fake, as it does not represent you, even if it is not only legal but even allowed by Facebook;
- They are immune from Facebook anti-spam algorithms. This means they can engage in activities that generally may lead to limitations if done with a regular account, like posting many comments in short times or adding several friend requests in a few minutes;
- They stay in limbo. They cannot interact with real Facebook accounts, nor can they join groups or like pages; the same, real Facebook accounts cannot see them.
Why Does Facebook Allow Invisible Profiles?
The fact Facebook allows people to create fake accounts that are even undetectable from automatic anti-spam filters may seem weird at first glance. Realizing that these accounts stay in limbo and cannot interact with other people makes more sense that they are immune from any filter.
Still, some people may wonder why Facebook allows the creation of these accounts. What’s the point in creating a profile that cannot interact with others, basically, a ghost account that can experience Facebook as if it was an empty website?
The answer to all the questions lies in a specific activity Facebook encourages: bug hunting. It means searching for security vulnerabilities that expose user data and the whole platform to potential risks and cyber-attacks. Bug hunters need to try to exploit flaws, but when they do it, they should behave ethically, in particular:
- They should not use their discoveries to harm other Facebook users, try to disrupt the platform, gain an unfair advantage, or blackmail the company in any way;
- They should keep any findings confidential until Facebook fixes the reported security vulnerabilities;
- They should minimize the impact of their discoveries.
The third point especially explains why Facebook allows the creation of fake invisible profiles: to enable security researchers to test the platform in a secure sandbox, in which these accounts cannot interact with real people. It is the only legal way to have a fake profile on the social network, provided that it should be one of these special test accounts, and it should be used only to engage in ethical bug hunting. In no way does Facebook approve of the creation of regular accounts with fake names, even if used for testing vulnerabilities.
|Regular Facebook Profiles||Test Accounts|
Can interact with other people, but not with test accounts.
Can interact with other test accounts created by the same user, but not with other people or test accounts created by others.
Anti-spam filters and other security measures can target them if they engage in suspicious behavior or violate the community rules.
They are totally immune to Facebook automatic moderation systems: being test accounts, they are already invisible to other people, so there’s no need to moderate them. Moreover, the absence of limitations allow to better test security vulnerabilities.
They can fully engage with pages, groups, and other public stuff on the social network.
They cannot engage with real pages or groups.
Any legally permitted usage of a social network.
For testing security vulnerabilities only.
How to Create Facebook Test Accounts
Creating Facebook test accounts is easy. Below are the steps to proceed:
- Login to your personal Facebook profile;
- Access the Bug Bounty section and look for the test accounts control panel;
- Create a new account and wait for Facebook to generate a random email address, name, and password for you.
After creating all the accounts you need, you are ready to use them: you do not need to activate them, change passwords or perform other tasks.
Limitations Affecting Facebook Test Accounts
Facebook test accounts cannot interact with real profiles, but the technical aspects involving these particular accounts are not the only ones to consider. In general, when using test accounts, one should remember they are meant to test security vulnerabilities, so they should be created only for this purpose and for nothing else.
Any other usage of this specific category of accounts may lead to violations of Facebook’s terms of service. Security researchers should only use test accounts to search for bugs but can still switch to their personal profiles in case they are unable to look for a specific vulnerability with the test ones, provided they do not use them to conduct automatic tests or engage in activities that may disrupt the service or harm other users.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2022 Alessio Ganci