Facebook Widget Installs Zango Spyware

BaCa writes "A malicious Facebook Widget actively spreading on the social networking site ultimately prompts users to install the infamous "Zango" adware/spyware. The tremendous success and lightning fast expansion of Facebook empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies."

Facebook evolved to fast

[plarsen]

The evolution of facebook took place to fast for the security to catch up.

"like honey would attract flies"

[John+Hasler]

There is something else that attracts flies which it more closely resembles...

Re:"like honey would attract flies"

[Yetihehe]

Flies are attracted to vinegar

Without exception...

All the apps are terrible. Asides from their 'myspacesqueness', they also release your entire profile & friends to an unknown entity. Facebooks TOS is bad enough, but atleast you have a sense of who your dropping all thoughts of ownership or privacy too.

'caring' - imageogram

Re:Without exception...

[jo42]

Graffiti is fun, you get to draw things.
Pretty things, if you're good. Let me fix that for you:

Microsoft Paint is fun, you get to draw things.
Pretty things, if you're good.

Obligatory

[Weaselmancer]

...such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies.

http://xkcd.com/357/

Wouldn't install for me

[bconway]

I tried to run it from the Facebook link in my sandbox, it wouldn't take. Looks like admin privileges are a requirement. I guess it's not surprising people aren't following the basic security steps that (even) Microsoft recommends.

Re:Wouldn't install for me

[slyn]

That's one of the major problems with Window's. The default security settings of a Microsoft product aren't even what Microsoft recommends.

It's times like this I'm glad I have a Mac, as I can continue to stalk people that barely know me without risk of getting a virus. =P

Re:Ethic-less?

[vaz01]

You must use facebook a lot.

Too late

[doofusclam]

Facebook have already blocked it, days ago...

Re:Too late

[kebes]

It's good the Facebook is blocking that app, but this points to a deeper problem with Facebook's implementation of third-party applications. This is just the beginning of Facebook being exploited by scammers.

Whoever injected that spyware application will no doubt create a new developer account, and upload some variant of "Secret Crush". Blocking a particular application or a particular developer account is a short-term solution. I can only guess that more and more people are going to exploit Facebook apps for adware, spyware, phishing, identity theft, etc. Facebook will then be playing yet another game of "Internet whack-a-mole" where they try to block applications based on signatures, block developers based on IP address, and so on (with usual countermeasures of automated code variation, proxies, etc.). As we've seen from spam, viruses, spyware, and phishing, such games reach a stalemate where a certain fraction of users are becoming victims at any given time (typically the less savvy users, I suppose).

Personally I think Facebook should do a better job making the risks of third-party applications clear. The little "confirm that you want this application" question has already become so routine for most users that it means nothing to them. Moreover, the tight integration of third-party apps into the Facebook environment, though visually pleasing, leads most users to believe that the applications are written by and endorsed by Facebook. In fact, the code runs on third-party servers and those third-parties have access to profile data once you accept the app. Most Facebook users are surprised when you tell them this. And it's not always easy to tell who actually wrote a given application.

I think we all saw this coming, and I'm surprised Facebook didn't put in more safeguards to curtail the use of the app framework for spamming, phishing, and social engineering.

The widget is "Secret Crush" (saving you a click)

[stickyc]

Quick summary:

The widget in question (according to TFA) is "Secret Crush". The app asks you to complete several steps, including signing up 5 of your friends and installing a tray applet (containing the "infamous "Zango" adware/spyware") from Zango's site.

Re:What is "Facebook"?

[STrinity]

Think MySpace only it looks like a corporate website c.1999 instead of a Geocities page c.1996. Oh, and with pointless activities.

Am I the only person left?

[Joce640k]

Am I the only person left who doesn't know what facebook is?

From reading the press it seems to be some sort of web site where you upload all your private stuff for other people to see. I've never seen it though.

Re:Am I the only person left?

[Albert+Sandberg]

Slow down cowboy! I'm slowly grasping how this blog thing works!

Re:The widget is "Secret Crush" (saving you a clic

According to "blog.zango.com" (found by a google search "facebook widget zango") the widget is now called "My Admirer".
Facebook is going to hell in a handbasket. They should never have opened to "anyone with an email address"; that's just asking for trouble. At least they're making money, right?

Tag issues

[lpangelrob]

While the tag "shitattractsflies" is somewhat amusing when describing (as an aside, Facebook started exclusively on college campuses some 5 years ago, now), I think the more insightful tag would be "peopleattractshit".

Personal responsibility -- don't install untrusted

[compumike]

Don't voluntarily install untrusted executable files! Period! There is no vulnerability without the user thinking that they want what's inside.

Facebook has nothing to do with the existence of this vulnerability. In fact, the browser-based app model explicitly is nice because of the sandbox effect, where such apps are very limited in what they can touch on your local machine. But when you convince people to break out of that sandbox by installing a local app, you can certainly kiss your computer goodbye.

--
Our microcontroller kit. Your gcc compiler. Learn digital electronics.

Don't feel bad, I don't get it either.

[maillemaker]

If you aren't the last person, you're not by much.

I only went and checked it out a few weeks ago, after not being able to stand all the hype any longer.

I can't figure out what it's for. I've said as much here on Slasdot before, and was told that basically it's a mechanism to find/keep in touch with friends.

It's kind of like "classmates.com", except it's free.

I went and tried it out. First of all, they want you to use your real name. Like you noted, your "private stuff". Myself, I am seeking to /limit/ my online exposure, not enhance it, so of course I created a fake account.

Once you have an account, there is very little to actually /do/, that I can see. You are supposed to join "networks", but there weren't any that seemed interesting to me.

I don't have any long lost friends to look up, and the couple of names I did plug in didn't get any hits. All of the people currently in my life that I want to keep up with I currently keep up with by other means, like email, telephone, or face-to-face.

I still don't understand the appeal of these "myspace" and "facebook" social web sites. What they really look like to me is an html-based web page creation utility, that allows people to create a personal web page without having to pay a hosting fee.

Since most ISPs these days give you a 5MB or so space where you can make a little web page if you want, I don't know why people don't just use that, except I guess they don't know how to make web pages. So MySpace, Facebook, etc., are like mini web-page software wizards to help you make a web page. Since all the web pages are centralized on one "server", they are thus also easily searchable / linkable.

If I wanted a web page to post things about myself, I'd go register a domain and some web hosting services and make one. I guess Facebook and MySpace are for people who don't want to go to the trouble.

Re:Don't feel bad, I don't get it either.

[uglyduckling]

I created a fake account... I don't have any long lost friends to look up, and the couple of names I did plug in didn't get any hits.

Hmmm... well, if you used a fake name, then maybe all your former friends did too. The site only works if people use their real names. Facebook is exactly that for most people - kind of like classmates.com and Friends Reunited. It enables the maintenance of casual friendships without having to write/phone explicitly.

If you think about it, this is how most casual friendships work - I don't specifially talk to John down the hall at work to catch up, I might bump into him in the coffee room, see he's got a new shirt, find out it was his birthday yesterday etc. etc.. Just seeing and bumping into someone lets you stay in touch without it being an effort. Social networking sites let you do this. Email works for people you really want to stay in touch with, and chat forums work for a bunch of people who want to discuss the same topic(s). On Facebook I can find out that Fred who I went to school with is into a particular band too, and if there's a couple of other guys from school 10 years ago maybe a group of us could go to a gig. Nothing serious, nothing important, but if you like to stay loosely in touch with a whole bunch of people then it works really well.

Re:Don't feel bad, I don't get it either.

[tapo]

Actually, the purpose of Facebook is to not only find friends, but to allow you to communicate with them more easily.

Facebook's core feature is the 'news feed', which basically shows what your friends have been doing on facebook, or what they've set their status to be, a little like twitter. Here's a snippet from mine:

Guy A started playing a game: Mass Effect
Girl A misses Guy A.
Girl B left the group The American Sandwich Society.
Guy B and Guy C are now friends.
Girl C is no longer listed as single.

It also allows you to create events and invite people, allowing them to RSVP through facebook. Considering it has everyone's information, it's also a very, very handy way to have up-to-date contact information, notifying me of address changes, cell phone numbers, and the like. As a college student, everyone I know uses facebook, making it a valuable networking tool.

Re:Don't feel bad, I don't get it either.

[stuporglue]

Actually, the purpose of Facebook is to not only find friends, but to allow you to communicate with them more easily.

Sorry, no. The purpose of Facebook is to make money.

Re:Don't feel bad, I don't get it either.

[aj50]

Originally Facebook was designed to appeal to university students (I believe you had to have a uni e-mail address to sign up) and for this target market, it works very well. When you start university, you quickly meet lots of new people who you might not bump into again and whose names you're trying to remember.

One of it's most useful feature is that you can search through people at your uni who've signed up, you can search for people who are doing the same course as you, you can get enough background information to gauge whether you might get on with them and to allow you not to fall into socially awkward traps. You can get an idea of where their interests lie by which groups they've joined so you can take a guess at what sort of stuff they might enjoy.

It's only good because the people on facebook are people you have actually met and if you're getting to know someone, it saves you from having to ask them their name three times and can tell you whether he's actually going out with that girl you always see him with or whether they're just friends.

Bear in mind that applications have only come about recently and (IMO) are the cancer that will kill facebook*. Previously, you had the personal info, the wall, the groups and the photos.

*Not that I think that the idea of applications is a particularly bad one, there's a lot of interesting things you can do with them but the invite system is really annoying, some people fill their page with applications until it looks like myspace and some application writers seem to be competing to get the most users.

For one of my assignments last term, I made a system where you could link your bluetooth ID with your facebook account and your friends could tell if you were within bluetooth range by running a program on their phone which would query our database with a list of bluetooth IDs and get a list of friends with their name and photo. Of course, this application isn't really practical, very few people have a smart phone or have bluetooth turned on and I won't even start talking about the privacy implications but it allowed us to see people's reactions to it and to show that it could be done by a small group of undergrads.

Re:Don't feel bad, I don't get it either.

[Ma8thew]

So if someone where to ask what Slashdot was, I shouldn't say 'it's a technology site, centred around discussion of current news', but instead, 'it's to make money for Sourceforge Inc.'. Yeah, that's a lot more clear.

Re:Don't feel bad, I don't get it either.

[Scrameustache]

I can't figure out what it's for. It's for organizing parties.

Since most ISPs these days give you a 5MB or so space where you can make a little web page if you want, I don't know why people don't just use that, except I guess they don't know how to make web pages. Because the point is the social network.

Anecdote: So this girl I know in meatspace asks me if I'm coming to her party, I don't know what party she meant, we discuss the fact that I'm not in her facebook friends, the following day we digitize our friendship, and I finally see the event page (limited to her friends) with all the relevant details and a handy "coming/not/maybe" RSVP system.
You get to see who's going to the party, who isn't, and the whole thing is done with a nice central website and user friendly interface.

P.S. Also, it's a great channel for attention-whoring.

Re:Ethic-less?

[Wordsmith]

Or a slashdot poster.

Re:Ethic-less?

[XnavxeMiyyep]

Nope. Unethical is an even BIGGER word!

Re:why are all facebook widgets so retarded?

[0100010001010011]

They let the highschoolers and world in.

The reason it's like a second grade class room is because majority of users are of that mentality now. Just look at most of the "groups" now. Maybe they existed and I didn't notice before but all my groups were rather sane, now they're "IF U JOIN THIS GRUP WORLD PEACE WILL START!"

I've been on facebook since the beginning. And every minor improvement seemed to rock. They added photos. I was able to share photos in one place with most of my friends. I could invite friends over to a party with out having to e-mail every one. Yes, sometimes in college you don't get the opportunity to SEE all your friends every day.

And then the flood gates opened. The Developer thread was flooded with "HEAY I LOVE FACEBOOK CAN U MKE IT SO MUSIC PLAYS LIKE MYSPACE." People would kindly remind them that the whole thread was FOR developers. People could make 3rd party apps and it seemed pretty good because all the 3rd party apps were external. Then came the day that they let those 3rd party apps on everyones website. Then it just went to hell.

Thankfully Grease Monkey and scripts like:
http://userscripts.org/scripts/show/11992
This exist.

Which is why I maintain 2 accounts. My 'professional' account. Uses my work address. All my college friends and people I know well. You can't find it anywhere. You can't search for it by name. Even if you know me I have to add you. Then my "Hi I just met you at the bar and I'm going to add you" account. Basic info. Searchable. Etc.

scoble

[chris_mahan]

Well, at least Scoble is safe.

Re:It's stupid WINDOWS users, duhh

[Bartab]

First of all, stupidity doesn't mean you deserve what you get.

Yes it does. It's called life, and we as a society should stop putting so much futile effort into working against it.

I agree!

[maillemaker]

>Staying in touch with a bunch of people who you do not care very much for their
>center of interest is one of the most worthless activity i've ever heard of.

My sentiments exactly. It also smacks of voyeurism to me. Maybe that is part of the appeal?

Explicit maintenance of friendship...

[maillemaker]

>Hmmm... well, if you used a fake name, then maybe all your former friends did too.
>The site only works if people use their real names.

I really don't have any former friends. There is one guy I've lost track of over the years, but he never kept a phone (his girlfriends kept calling getting him in trouble with his live-in girlfriend) and he hated computers so I doubt he's on the web anyway. But other than him, I don't have any long-lost buddies I'm trying to keep track of. I never had friends in high school so I'm not looking for long-ago classmates. I wasn't a traditional college student (I worked full time and went to school to get my degree) so I don't have any college buddies to track down, either.

If you just want to look people up, why not go use Yahoo People Search? Why opt into yet another database so you can be found?

>It enables the maintenance of casual friendships without having to write/phone explicitly.

This concept is completely foreign to me. If you are worthy enough of friendship than I will make the effort to maintain that friendship explicitly. If you aren't worthy enough of friendship then I'm not going to be interested in your digital trivia on some web page.

>If you think about it, this is how most casual friendships work - I don't specifially talk to John down
>the hall at work to catch up, I might bump into him in the coffee room, see he's got a new shirt, find out
>it was his birthday yesterday etc. etc.. Just seeing and bumping into someone lets you stay in touch without it being an effort.

The people I interface with at work are not friends, they are coworkers. I do happen to have a friend at work, but he is an actual friend, and I maintain our friendship by traditional means, speaking, telephone, email, going out to lunch, having his family over for dinner, etc. The rest of my coworkers, however, I don't care to interface with except for work-related matters. I don't care what kind of shirt they are wearing, when their birthday is, or any other trivial detail about them except whatever information I need from them to execute work functions. This is not to say I might not make additional friends out of co-workers, just that I don't need "casual" friendships.

>Email works for people you really want to stay in touch with, and chat forums work for a bunch of people who want to discuss the same topic(s).

This works for me.

>On Facebook I can find out that Fred who I went to school with is into a particular band too,
>and if there's a couple of other guys from school 10 years ago maybe a group of us could go to a gig.

I figure if I haven't spoken to you in 6 months then you are off my radar. I don't have enough time to keep adequate track of all the people actually actively present in my life. I guess I just don't feel the need to go dredging up the past to fulfill my friendship needs.

What you've said about Facebook jives with what other people have told me about it. Ultimately I figure I'm just anti-social and consequently the thrill of accumulating lots of "casual friends" just holds very little appeal to me. I'm also one of those people who never asks strangers, "How are you doing?" because I don't really care how some stranger is doing, and I know it's just a dumb little thing that people say to each other as a greeting and most people don't care how you are doing, either.

Re:Explicit maintenance of friendship...

[EveLibertine]

If you are worthy enough of friendship than I will make the effort to maintain that friendship explicitly. Well, what the poster before you was trying to say was that social networking sites attempt to lower the amount of effort. You mention an effort, but the idea is that in the glorious future as we develop these tools there will be virtually no effort required. Of course, nothing out there now has fully succeeded, but they are trying. Also, nobody cares about the nonsensical trivia that people enter into their profiles on these sites. It does, however, give that lady at the front desk at your work something to do when there's nobody moving through the lobby.

Let me give you an example of a "casual friend". You know that guy at the bar who tells you about his band, and it sounds cool, but you don't want to get his phone number or give out yours just so you can check out their next show. The solution here is he can just tell you what his bands myspace is, or facebook, or whatever, and you can get the info there. No need for feigned friendships when you find out his band sucks.