Zango strikes back over reported Facebook hack
Posted On Thursday, January 10, 2008 at at 1/10/2008 03:22:00 AM by nullOfficials with Zango, a maker of Web-based advertising software, are aggressively refuting last week's report from security device maker Fortinet which claimed that the adware firm's programs were being secretly passed along to end users by an application made available on Facebook.
Tabbed by Fortinet as the first major malware/greyware/badware hack to find itself onto the social networking portal, Zango leaders said in a statement released late Monday that claims of its involvement with a Facebook widget dubbed Secret Crush are "blatantly untrue."
As reported in my original story, and based on my interview with Guillaume Lovet, a regional manager of Fortinet's Threat Response Team, the initial claim made by the security company appeared to be that the Secret Crush program -- marketed to Facebook users under the guise of a tool that allowed them to find out about other members who found them attractive -- secretly installed Zango adware.
Upon further review, that appears at least in part to have been a mistake in interpretation of the bulletin and Mr. Lovet's observations on my part.
In the end, Fortinet is charging that Secret Crush merely "directed [users] to an external Web site inviting them to download applications such as MyWebSearch, which allows for pop-up advertising," to quote Chris Boyd, aka PaperGhost, who also blogged on the confusion last night.
To that end, Zango representatives said that once a user was sent to the aforementioned Web site after downloading Secret Crush, they were presented with a legitimate end user licensing agreement that informed them of all of the intricacies of its adware programs.
According to Zango:
"What the Fortinet report writer saw was simply an ad for a Zango application after the widget was added to a Facebook profile – an ad not connected to the widget and not unlike any other ad on the Internet that might appear on a Web page. The Zango advertisement, seen by Fortinet's researcher but not by Zango's security team at any point during the subsequent investigation, was just one in a series of rotating advertisements that a user might see after installing the Secret Crush application. If clicked on, the ad led users to Zango's standard notice and consent process."
The party that could really shed light on his whole confusing situation is Facebook itself, but they've yet to return any of my calls or e-mails on the matter. Social networking they appear to do well, PR, not so well.
Meanwhile, Fortinet is sticking to its original report:
"After additional investigation, Fortinet confirms that our research related to the 'Secret Crush' (Facebook Widget) was accurate as of posting our advisory on January 2, 2008," the company said in a statement on Tuesday. "The behavior shown in our screen shots simply showcases the observations the FortiGuard Global Security Research Team made on that date. We stand behind our original research."
So, it's a classic game of he said, she said, but, as with PaperGhost's assessments (and he has doggedly pursued Zango for its questionable practices in the past), it does seem based on the reported details that Zango at least served up its EULA before allowing end users to click through and grab its programs, which is all it is required to do really.
I still think that Facebook should do a better job of policing the apps that get loaded onto its site, and that Zango needs to be as transparent as possible if it is serious about changing its image from a shady adware firm to a legitimate ethical business, as its media representatives claim that it has.
But, we in the security community who picked up on this story so eagerly should also be reminded to look into all the details of any security bulletin before we report on it.
Sorry for any confusion.
Facebook finally got back to me on Wednesday, and while they can't dig up anyone to talk about this whole issue of security and social networking (which is pretty surprising since it's a huge question mark before they launch Facebook Enterprise) here's the boilerplate statement they passed along:
"Facebook is committed to user safety and security and, to that end, its terms of service for developers explicitly state that applications should not use adware and spyware. Users should employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop. We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."
So, despite Zango's claims, it would seem that Facebook agreed with Fortinet that there was an element of adware involved that they felt violated their rules.