The "Secret Crush" widget that misled more than a million Facebook users into viewing unsolicited adware is sufficiently extinguished. But like any heartbreaker, it continues to leave a trail of confusion in its wake.
Facebook successfully blocked the "Secret Crush" widget last week for violation of its terms of service.
But in the wake of the scheme, the adware company Zango is vehemently and publicly denying that it had any responsibility in creating the worm.
Zango execs repeatedly claim that they had no affiliation with the widget, maintaining that one of the company's banners was coincidentally one of the rotating ads that a user might see after installing the "Secret Crush" application. "It just so happens that Zango was one of the ads displayed in the ad placement. We have made sure that this ad is no longer there," said Keith Smith, Zango chief executive officer. "That is the only connection."
Zango's ardent denial flies in the face of claims made by security vendor Fortinet that the adware company was responsible for the ploy. Fortinet, which first discovered the widget New Year's Day, still stands by its original claim, stating, "After additional investigation, Fortinet confirms that our research related to the 'Secret Crush' (Facebook widget) was accurate as of posting our advisory on January 2, 2008. The behavior shown in our screen shots simply showcases the observations the FortiGuard Global Security Research Team made on that data. We stand behind our original research."
An updated Fortinet advisory continues to assert that the "Secret Crush" frame is hosted on zango.com, in the affiliates section. It also warns users that clicking on "Download Now" during the installation process will ultimately lead them to Zango's adware.
The widget, which was installed through Facebook's "Secret Crush" function, gave members a New Year's surprise earlier this month when a message notified them that they might have an unknown admirer. After undergoing prerequisites that included bypassing a disclaimer and recommending at least five other friends to the site, users discovered that instead of viewing their "Secret Crush," they were subsequently redirected to another Web site that invited them to download unsolicited pop-up adware.
The widget acted as a worm, relying on social engineering strategies that piqued user curiosity, and then propagated when they recommended more friends. The widget was changed to "My Admirer" from "Secret Crush" after news of the malicious adware became public Jan. 2.
Zango contends that its services never force users to download anything -- that contrarily the site offers free content to consumers and that users are required to go through a very deliberate consent process before viewing the ads.
"We make sure they know exactly what they are installing," said Smith.
Facebook disabled the "Secret Crush" application by Jan. 4. "Facebook is committed to user safety and security and, to that end, its terms of service for developers explicitly state that applications should not use adware and spyware. Users should employ the same precautions while downloading software from Facebook applications," a spokesperson said in a written statement.