Slashdot Mirror
Facebook Widget Installs Zango Spyware
BaCa writes "A malicious Facebook Widget actively spreading on the social networking site ultimately prompts users to install the infamous "Zango" adware/spyware. The tremendous success and lightning fast expansion of Facebook empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies."
The evolution of facebook took place to fast for the security to catch up.
I guess "unetical" is too big a word for the average facebook user.
"The cost of freedom is eternal vigilance." -Thomas Jefferson
There is something else that attracts flies which it more closely resembles...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
All the apps are terrible. Asides from their 'myspacesqueness', they also release your entire profile & friends to an unknown entity. Facebooks TOS is bad enough, but atleast you have a sense of who your dropping all thoughts of ownership or privacy too.
'caring' - imageogram
http://xkcd.com/357/
Weaselmancer
rediculous.
I tried to run it from the Facebook link in my sandbox, it wouldn't take. Looks like admin privileges are a requirement. I guess it's not surprising people aren't following the basic security steps that (even) Microsoft recommends.
Interested in open source engine management for your Subaru?
Facebook widgets are the new "I know someone who likes you" note-passing. Apps like "superpoke", "vampire bite", and now "secret crush"?
Social networking sites are like second grade classrooms.
Ok fine, but which major anti- sypware progams detect and eliminate it ?
and which do not ?
It would be very interesting to get a feel for which anti-spyware programs destroy it.
Also, the name of anti-spyware programs that fail to detect and or destroy it
The danger boils down to how many people are unprotected as compared to those who are protected , ahd how well anti- spyware software truly protects us,. or fails to protect us.
Facebook have already blocked it, days ago...
The widget in question (according to TFA) is "Secret Crush". The app asks you to complete several steps, including signing up 5 of your friends and installing a tray applet (containing the "infamous "Zango" adware/spyware") from Zango's site.
In the same way that MS created IE so that third parties could gain control of your computer to generate profits(think of pop ups that were not disabled until XP SP 2, a continuing lack of Flash blocking, even though images can be blocked) I wonder if facebook has somehow facilitated this spyware. Clearly, if facebook gets a cut of revenue generated by the spyware, this would result in some large coin.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Think MySpace only it looks like a corporate website c.1999 instead of a Geocities page c.1996. Oh, and with pointless activities.
Les Miserables Volume 1 now up with my reading of
Am I the only person left who doesn't know what facebook is?
From reading the press it seems to be some sort of web site where you upload all your private stuff for other people to see. I've never seen it though.
No sig today...
There is a very big difference and the summary (and title) is misleading and wrong.
According to "blog.zango.com" (found by a google search "facebook widget zango") the widget is now called "My Admirer".
Facebook is going to hell in a handbasket. They should never have opened to "anyone with an email address"; that's just asking for trouble. At least they're making money, right?
While the tag "shitattractsflies" is somewhat amusing when describing (as an aside, Facebook started exclusively on college campuses some 5 years ago, now), I think the more insightful tag would be "peopleattractshit".
-Rob
Biblical fiscal responsibility
Don't voluntarily install untrusted executable files! Period! There is no vulnerability without the user thinking that they want what's inside.
Facebook has nothing to do with the existence of this vulnerability. In fact, the browser-based app model explicitly is nice because of the sandbox effect, where such apps are very limited in what they can touch on your local machine. But when you convince people to break out of that sandbox by installing a local app, you can certainly kiss your computer goodbye.
--
Our microcontroller kit. Your gcc compiler. Learn digital electronics.
when he speaks of less ethical payper click schemes. we remember when rejecting advertising from softwar gangsters was thought to be important. nowadaze, almost everything is about getting a bit more monIE/stock markup FraUD paypers. time always reveals the motives as well as the results.
If you aren't the last person, you're not by much.
/limit/ my online exposure, not enhance it, so of course I created a fake account.
/do/, that I can see. You are supposed to join "networks", but there weren't any that seemed interesting to me.
I only went and checked it out a few weeks ago, after not being able to stand all the hype any longer.
I can't figure out what it's for. I've said as much here on Slasdot before, and was told that basically it's a mechanism to find/keep in touch with friends.
It's kind of like "classmates.com", except it's free.
I went and tried it out. First of all, they want you to use your real name. Like you noted, your "private stuff". Myself, I am seeking to
Once you have an account, there is very little to actually
I don't have any long lost friends to look up, and the couple of names I did plug in didn't get any hits. All of the people currently in my life that I want to keep up with I currently keep up with by other means, like email, telephone, or face-to-face.
I still don't understand the appeal of these "myspace" and "facebook" social web sites. What they really look like to me is an html-based web page creation utility, that allows people to create a personal web page without having to pay a hosting fee.
Since most ISPs these days give you a 5MB or so space where you can make a little web page if you want, I don't know why people don't just use that, except I guess they don't know how to make web pages. So MySpace, Facebook, etc., are like mini web-page software wizards to help you make a web page. Since all the web pages are centralized on one "server", they are thus also easily searchable / linkable.
If I wanted a web page to post things about myself, I'd go register a domain and some web hosting services and make one. I guess Facebook and MySpace are for people who don't want to go to the trouble.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
sure, can you tell the novice users (eg. children, parents,grandparents etc) what exactly is an "executable" and why i should trust one (eg flash) amongst another ?
Basically, what I have concluded is that these "social" websites are basically a free, web-based applications that let people create small personal web pages.
Since the web pages are on a centralized "server", they are easily indexable and searchable, which is nifty if you want to do things like go looking for long-lost friends or people who share similar interests.
Myself, I don't get the appeal.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
I wholeheartedly concur...
Windows supposedly has the greatest security model in the world, but I don't understand it, I've never understood it, and I've never met anyone who could explain it to me. Occasionally there's ordinary files that aren't open but that I can't modify AND I HAVE NO CLUE WHY THIS HAPPENS. Some hidden attribute, God knows what it is. Etcetera.
Vista proves what I've always suspected: even Microsoft can't set up a secure, usable Windows system without pissing me off on a continual basis with warnings and promptings and bullshit. So excuse me, I'll stick with XP, run as admin, live behind my locked-down firewall, run Firefox and NoScript, and avoid widgets and downloads and attachments and so forth like I've been doing since Windows 95.
And I'll continue to wait for Apple to wake the hell up and release OS[whatever roman numeral it is now] generically, so maybe this long nightmare can finally end.
You mean untrusted executable files like this?
Well, at least Scoble is safe.
"Piter, too, is dead."
First of all, stupidity doesn't mean you deserve what you get. Second of all, using Windows has nothing to do with it. All the smart Windows users are blissfully uninfected, the problem is stupidity, not OS choice.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
First of all, stupidity doesn't mean you deserve what you get.
Yes it does. It's called life, and we as a society should stop putting so much futile effort into working against it.
Any sufficiently advanced technology is indistinguishable from a rigged demo.
>Staying in touch with a bunch of people who you do not care very much for their
>center of interest is one of the most worthless activity i've ever heard of.
My sentiments exactly. It also smacks of voyeurism to me. Maybe that is part of the appeal?
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
So, an internet on the internet?
I pwn this comment. "The Fine Print" says so.
>Hmmm... well, if you used a fake name, then maybe all your former friends did too.
>The site only works if people use their real names.
I really don't have any former friends. There is one guy I've lost track of over the years, but he never kept a phone (his girlfriends kept calling getting him in trouble with his live-in girlfriend) and he hated computers so I doubt he's on the web anyway. But other than him, I don't have any long-lost buddies I'm trying to keep track of. I never had friends in high school so I'm not looking for long-ago classmates. I wasn't a traditional college student (I worked full time and went to school to get my degree) so I don't have any college buddies to track down, either.
If you just want to look people up, why not go use Yahoo People Search? Why opt into yet another database so you can be found?
>It enables the maintenance of casual friendships without having to write/phone explicitly.
This concept is completely foreign to me. If you are worthy enough of friendship than I will make the effort to maintain that friendship explicitly. If you aren't worthy enough of friendship then I'm not going to be interested in your digital trivia on some web page.
>If you think about it, this is how most casual friendships work - I don't specifially talk to John down
>the hall at work to catch up, I might bump into him in the coffee room, see he's got a new shirt, find out
>it was his birthday yesterday etc. etc.. Just seeing and bumping into someone lets you stay in touch without it being an effort.
The people I interface with at work are not friends, they are coworkers. I do happen to have a friend at work, but he is an actual friend, and I maintain our friendship by traditional means, speaking, telephone, email, going out to lunch, having his family over for dinner, etc. The rest of my coworkers, however, I don't care to interface with except for work-related matters. I don't care what kind of shirt they are wearing, when their birthday is, or any other trivial detail about them except whatever information I need from them to execute work functions. This is not to say I might not make additional friends out of co-workers, just that I don't need "casual" friendships.
>Email works for people you really want to stay in touch with, and chat forums work for a bunch of people who want to discuss the same topic(s).
This works for me.
>On Facebook I can find out that Fred who I went to school with is into a particular band too,
>and if there's a couple of other guys from school 10 years ago maybe a group of us could go to a gig.
I figure if I haven't spoken to you in 6 months then you are off my radar. I don't have enough time to keep adequate track of all the people actually actively present in my life. I guess I just don't feel the need to go dredging up the past to fulfill my friendship needs.
What you've said about Facebook jives with what other people have told me about it. Ultimately I figure I'm just anti-social and consequently the thrill of accumulating lots of "casual friends" just holds very little appeal to me. I'm also one of those people who never asks strangers, "How are you doing?" because I don't really care how some stranger is doing, and I know it's just a dumb little thing that people say to each other as a greeting and most people don't care how you are doing, either.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
>So, an internet on the internet?
I guess so.
Steve
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
Thank you. I hope you get modded +5 insightful.
You know, youth may actually have a lot to do with it.
/important/ things in my life that I just don't have the time to care that "Guy B is friends with Guy C", that "Girl A is no longer single", etc. etc. etc.
After reading the trivial things you get to keep track of from the post just above yours (I.E., guy B leaves the American Sandwich Society), I gather that this sort of things gives you very trivial data about people - things you just don't really need to know or keep track of.
When I was younger I had time for such dalliances. But as an adult with a 50+ hour work week, a wife and a child, a house, cars, and the rare time out for hobbies and gaming, I just don't have time to keep up with trivia any more. I mean there is so little time for the actual
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
http://slashdot.org/comments.pl?sid=407050&cid=21926308
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
No, it doesn't. We may not be able to prevent the consequences of stupidity (nor should we try to baby-sit people in that fashion), but we certainly shouldn't say that stupid people deserve what they get, feeling all smug. We should try to educate them, not finger-point and laugh.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
It's a good thing that these "spammers, virus/spyware seeders, and other ethic-less online marketers" would ever take advantage of of the /. user base!
Oh wait...
Yaz.
People with Firefox can install the "stylish" extension (for controlling CSS), and, along with the "De-MySpacify" script, block all appearances of facebook apps in their browser. ( http://userstyles.org/styles/3681 ). It's about 15 lines long and incredibly helpful (not to mention aptly-named).
The Profile Hug application embeds an iframe in its request notification that sometimes (but not always) redirects the user to an external site that then shows facebook in an iframe along with advertisements. Facebook has yet to do anything about this app (though I have notified them).
For those who don't know how Facebook works, basically when one person installs an app, the app will pester them to request their friends also install it. A friend of mine installed it, which sent me a request that appears on a very long list of other such requests I've ignored. When I view my requests page, there is now a (sometimes) malicious iframe that will hijack my browser window, even though I have not installed any app.
As is so often qouted on /., "You can't con an honest man"
You could have a website, full control over ALL the html, the ability to run php/mysql stuff, links to anything you want, a neat little script to let your friends leave comments....it'll cost you very little, I pay £60/yr for one of my websites and I get backups, halon fire suppression (which I couldn't even legally have in the UK), superb support etc etc
OR....you could get a free but very limited version of the same plus adverts, spam and the occasional security scare like this. Stupid? No, just ignorant, but if I offered you a {WARNING, CAR ANALOGY} free car, and it turned out to have a radio that only tunes to one station then you can't really complain.
You pays your money, you takes your pick. Or not, as the case may be.
Please consider this account deleted, I just can't be bothered with the spam anymore.
I stopped using MySpace after a year. I got over 100 spam advertisements, scams, and actually had to remove one of my friends from my MySpace page because he kept spamming my page with stupid porn links (which was, you guessed it, a scam). I plugged in my web server I made with Linux and Apache several weeks after that, and I can't believe everyone else doesn't do the same (or at least use free web hosting services, if they can't build their own). Only my friends and family know about and access the site, which I have some info about me, a blog, and a phpBB forum on.
I took the advice of your SIG.
You shifted the goalposts on that one. Being smug about stupidity-with-consequences or laughing at it, is an entirely different issue than what you responded to. I agree there is no reason to feel superior or gain a sense of schadenfreude (sp?). On the whole, stupidity is kind of sad, and we all behave stupidly sometimes. However, saying stupidity deserves its results is a tautology, to my mind. If stupidity didn't have harmful results, then I don't see how a behaviour could really be called stupidity. Cupidity, or individual difference, maybe, but not stupidity.
That's my two cents, at least.
not sure about the intent of the hyphenation here, but imnsfho facebook et al seem to have a questionable motivation and ethical standards to start with, what with the only business model they have is user data on hock.
I rest my case.
I don't disagree that stupidity has harmful effects, my issue is with saying "stupid people deserve what they get". I think that saying things like that is promoting an attitude of smugness and I'm-better-than-you. Going by that logic, I really shouldn't try to educate stupid people, because they deserve the consequences of their stupid actions. Should we shield people from dumb mistakes? Of course not, we don't want to live in that kind of nanny-society. However, that doesn't mean we shouldn't have a marginal amount of sympathy for those people, or try to help and educate them.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
It benefits people with active social lives. Not surprising then that so many slashdotters seem to be baffled by it.
You can choose to be insulted by this or not but it's the truth.
- Toby
I was quite unaware of that fact, but nonetheless... the issue here isn't facebook per se... it is the fact that any third party can write an application that gets all your data, and nobody really understands the implications of this...
Ian
It's worse than an app.. it's actually an ad. It may be an actual app. However, it advertises itself as a banner and says you have 11 messages waiting. Click it, and it says they delete so many messages a day, and you are down to 3. I figured out pretty quickly when they asked for my gender (which they should have already if they were really a Facebook app) that it was fake.. besides the fact, it used images.. but there was no border around the banner, and no word "Advertisement". Facebook needs to correct this.. at a minimum.. and make it clear when you are leaving the Facebook site. But seriously, for Windows users, don't install executables. You know those "install and run" dialog boxes.. say "No." --Sam
I'm afraid this is all rumour and innuendo according to Zango:
/. Don't you know: "Zango Advisory: As of this posting, the Zango security team has observed that the Secret Crush widget on Facebook is now called the "My Admirer" widget."
http://blog.zango.com/PermaLink,guid,94c0e12c-c69e-484f-81b8-b8b58953d71b.aspx
(summary: users are clearly told they are downloading something, so what's the problem?)
And try to keep up with the times,
why is this bias being injected into submissions? 'online marketers' aren't necessarily 'ethic-less,' even if their ethical standpoints don't necessarily coincide with their own. i would guess they do share ethical ideas with everybody using slashdot, though. they certainly utilize facebook to spread their ideals, which is what a lot of facebook users do on a regular basis (and what every living, thinking, non-hermit person who has any effect on the world does, consciously or unconsciously). this idea that it's ok to use false proclamations simply because you're discussing a subject your general audience will likely have similar feelings toward is ludicrous. i think spyware and spam and things like that are stupid and annoying, but practicing the distribution of those things does not make a person anything other than distributors of those things. if they do not have ethics, then they do not have ethics, but that's another situation entirely (and i would guess everything we know about human psychology and evolution pretty much rules that possibility out anyway), and certainly not the end result of their actions. their actions are the end result of their ethics, certainly, so i guess by stating otherwise you are begging the question? my knowledge of that fallacy is pretty lame, though. i'm not really smart enough to understand it, or something (something probably being i haven't learned enough to understand it [i remember reading that people who don't think they can do things tend to not try hard enough to find out if they can, so i'm trying to break that habit {because obviously if i read it on the internet it's true}]). another issue i have is with that article terming this as 'social engineering.' how exactly is a completely scripted process using absolutely no human interaction social engineering? if i write a program to represent a prompt for a passkey that stores the inputted information into a flat file, and a user ignorantly inputs their log in credentials to it, am i socially engineering them into doing so? just because it's a social networking site doesn't mean everything done on it is social. i understand that it's written to appear to be social, but i wouldn't call a full grown bear dressed in a diaper a human baby. i wouldn't call smarterchild a human being or consider a converssation with it a social event. why is completing a scripted process social on any level? just because you are compelled into action by a perceived social obligation does not mean you are participating in a social activity. i still pee standing up.
im going to be brutally honest. if you don't enjoy facebook, it's because you don't have an active social life. this is true between 20-25 year olds. outside that range, facebook isn't as stapled to social lives.
im pretty active with my social life, and im constantly on facebook to see pics of parties or outings im tagged in, as well as pics from what my friends were up to while i wasn't around (or not invited to! ha)
Why limit your social life by posting as an ac?
"ethic-less"? The word is "unethical." This is how language evolves and dies.
>It benefits people with active social lives. Not surprising then that so many slashdotters seem to be baffled by it.
It sounds just the opposite though. People don't seem to be using Facebook to socialize, they use it to digitally eavesdrop on the mundanities of people they no longer keep up with very well.
Except for the examples provided where people use it as a meant so schedule physical meetings, it doesn't sound like real, honest-to-goodness socializing, it sounds like a substitute for it.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.