Facebook late Friday said an application known as Secret Crush that serves up adware from Zango violates its terms of service.
The social-networking site contacted the developers and disabled the application, or widget, from use on the site.
“Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware,” Facebook representatives said in an email.
The move comes a day after Sunnyvale, California-based security firm Fortinet took the social network to task for allowing the malicious application to propagate across the site.
The sneaky widget first piqued people’s interest by suggesting that one of their friends had a crush on them. Lured by the promise of discovering who had been silently pining for their hearts, users were coaxed through a series of steps that ultimately lead to a prompt to download a free horoscope service.
Once downloaded, users’ computers were then infected with the “infamous Zango adware/spyware” that monitors web browsing and then initiates targeted pop-up windows, said Guillaume Lovet, Fortinet’s Threat Response Team manager and the one responsible for discovering the adware widget.
Despite the risk of giving up personal information to a third-party developer, some 4 percent of Facebook members installed the application, which amounts to over 1 million downloads.
Zango, formerly known as 180solutions and Hotbar, is one of the world’s largest distributors of adware. Last November, Bellevue, Washington-based Zango settled charges with the Federal Trade Commission for $3 million. The FTC said, “ they used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law.”
Zango denied the connections to the Secret Crush widget and said that they were unable to regenerate the ad that Fortinet discovered.
“In the case of the Zango ad seen by Fortinet, if clicked it would have taken a consumer to Zango’s standard plain-language notice and consent page where consumers could choose to install Zango software and access (without subscription) a Zango Astrology application – or choose not to install the software,” Zango representative Steve Stratz said a statement.
Mr. Lovet contends that people are so committed by the time they reach the Zango page that they are likely to agree to the notice. No one ever reads “end user license agreements,” he said.
The discovery of malicious widgets on Facebook “should come as no surprise to anyone,” said Fred von Lohmann, senior staff attorney at the Electronic Frontier Foundation. “As sites like Facebook and MySpace become the destination for large numbers of users, they will also attract adware and spyware.”
The lesson to be learned is don't be lured into a false sense of security on the Internet just because it's Facebook, Mr. von Lohmann said.
Although developers have to agree to follow Facebook’s terms of service, the site doesn’t have a vetting process.
Facebook appeared to react quickly to Fortinet’s report. Friday morning Secret Crush had disappeared, only to be replaced by My Admirer. That too has since been disabled, suggesting a cat-and-mouse game between the developers and Facebook.
There will “always be rogues out there trying to slip through,” Mr. von Lohmann said.