Facebook widget includes spyware, says security vendor

Fortinet warns Facebook users to be wary of the Secret Crush widget.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Jan. 4, 2008 12:31 p.m. PT

On Thursday, security vendor Fortinet warned Facebook users that a popular new widget also installed Zango, software that has been labeled by some antivirus vendors as spyware. The Facebook widget, Secret Crush, promises to reveal who has a secret crush on them, and requires the user to add it to their site. Upon doing so, Fortinet says the Zango software also piggybacks in the installation without notification.

Previously, MySpace users were tricked into downloading video from a site called YooTube, which also attempted to install the Zango Cash program.

Zango, also known as 180Solutions and Hotbar, has had a checkered history. In 2006, Zango settled with the Federal Trade Commission, agreeing to pay $3 million dollars for illegally installing its software on user's PCs without proper notification. Recently, Zango lost its lawsuit against antivirus vendor Kaspersky. At issue was Kaspersky's claim that Zango was a threat to users.

Fortinet estimates that about 3 percent of the Facebook sites currently have the Secret Crush widget installed. For its part, Zango told WiredNews it disputes the advisory, citing that it has not detected any noticeable increase in the use of its software in recent weeks.