dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1868
TeMerc6
join:2004-01-22
Phoenix, AZ

2 recommendations

TeMerc6

Member

Facebook Widget Installs Zango

2008.January.02

Fortinet Global Security Research Team discovered a malicious Facebook Widget (officially, a "Platform Application") actively spreading on the social networking site which ultimately prompts users to install the infamous "Zango" adware/spyware.

The malicious widget, called "Secret Crush" first appears as a Facebook request 'secret crush'.

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush'.

Clicking the "Find Out Who!" button leads to the standard third-party application install page essentially stating that the referred application will be granted access to user's details upon installation.

»www.fortiguardcenter.com ··· -16.html
TeMerc6

1 recommendation

TeMerc6

Member

Detailed analysis here:
»holisticinfosec.blogspot ··· ook.html

IPs called:
66.150.14.74 Zango
66.150.14.65 Zango
66.150.14.61 Zango
64.94.137.72 Zango

URLs:
hxx//installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html
hxx//installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html
hxx//installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe
hxx//static.zangocash.com/Setup/Update/
hxx//public.zangocash.com/php/rpc_uci.php
hxxp://te.seekmo.com/TrackedEvent.aspx
hxxp://te1.zango.com/te.aspx

Links munged to avoid any one clicking.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

1 edit

1 recommendation

Cudni

MVM

Thanks for the warning.

from the 2nd link
"...
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
.."

I would call it adware if a user knowingly installs a piece of software that could, without the consent fact, be classified as spyware

edit: by knowingly I meant being aware of and having read and understood the Eula (as much as Eulas can be understood)

Cudni
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob

Premium Member

I must be in a bad mood today.
I've come to the conclusion that a name change (researchware?) doesn't change the function.

»en.wikipedia.org/wiki/Duck_test
TeMerc6
join:2004-01-22
Phoenix, AZ

1 recommendation

TeMerc6

Member

Rebuttal by Zango below and FYI »blog.zango.com/PermaLink ··· 71b.aspx

Zango Advisory: As of this posting, the Zango security team has observed that the Secret Crush widget on Facebook is now called the “My Admirer” widget.

So if it's so innocent why the name change??
mysec
Premium Member
join:2005-11-29

1 recommendation

mysec to TeMerc6

Premium Member

to TeMerc6
Question for the Facebook "experts":

The Fortinet writeup states that in order for the user to "Find out who" -- she/he has to agree to install an executable file.

Is this (installing an executable file) a common occurrence on Facebook to participate in different activities?

----
rich

surfingenie
Premium Member
join:2005-03-17
Malibu, CA

1 recommendation

surfingenie to TeMerc6

Premium Member

to TeMerc6
Some updated info from Fortinet:
quote:
As of January 4, 2008 the widget's installed user base has grown from 3% to 4% of Facebook users, and has changed its name from "Secret Crush" to "My Admirer". Further, when attempting to install the "My Admirer" widget, the message: "The developer of this application does not currently allow it to be added." appears, halting the installation process.

Scroll down link [ close to bottom ]
»www.fortiguardcenter.com ··· -16.html

-k-
mysec
Premium Member
join:2005-11-29

1 recommendation

mysec

Premium Member

said by mysec:

Is this (installing an executable file) a common occurrence on Facebook to participate in different activities?

I found my answer:

»www.internetnews.com/sec ··· /3719851
quote:
The current system places the onus of security entirely on Facebook users, who are so accustomed to installing third-party applications that come recommended by friends that security concerns are often overlooked, Manky said.
Hmmm....

----
rich
TeMerc6
join:2004-01-22
Phoenix, AZ

2 recommendations

TeMerc6

Member

Social engineering working to its potential. People go online and think because they're sitting in their homes they can't get 'hurt'.

amysheehan
MVM
join:1999-12-21
Chula Vista, CA

1 recommendation

amysheehan

MVM

said by TeMerc6:

Social engineering working to its potential. People go online and think because they're sitting in their homes they can't get 'hurt'.
And don't forget this aspect - what teenager wouldn't want to know who's 'admiring' them secretly over being security-minded.
mysec
Premium Member
join:2005-11-29

1 edit

1 recommendation

mysec

Premium Member

I see this is all a part of Facebook's "Third Party Developer Platform" which encourages people to write their own applications for use on the site.

Nice, in theory. A can of worms, in practice.

How can one ever be sure when installing executables on an open social network site?

I have just two families that use these - I think one uses Facebook.

In one family, the kids are young and the computer has Anti-Executable installed which lets the parents control what gets installed.

In the other, the older teenager is in charge of her own computer. She knows not to click-to-install anything that pops up (plug-ins, etc), but this is different.

It's ridiculous to use untrusted/unknown executables as part of this social stuff.

If you tell kids to say "No" to everything, they will be deprived of part of the experience of the site.

----
rich
mysec

1 recommendation

mysec

Premium Member

Some links:

Facebook Launches Facebook Platform; They are the Anti-MySpace
»www.techcrunch.com/2007/ ··· myspace/
quote:
The payoff is two way. Not only do developers get deep access to Facebook's twenty million users, Facebook also becomes a rich platform for third party applications.

Facebook's strategy is almost the polar opposite from MySpace. While MySpace frets over third party widgets, alternatively shutting them down or acquiring them, Facebook is now opening up its core functions to all outside developers.
Platform Application Terms of Use
»developers.facebook.com/ ··· erms.php
quote:
III. Use of Platform Applications

(a) Developer Applications. When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook, and we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.

Developers may require you to agree to their own terms of service, privacy policies and/or other policies as a condition of using Developer Applications. Those terms and/or policies may give Developers rights with respect to your Facebook Site Information beyond those provided by the Developer Agreement. PLEASE REVIEW EACH DEVELOPER'S TERMS AND/OR POLICIES CAREFULLY.


Cabal
Premium Member
join:2007-01-21

Cabal to TeMerc6

Premium Member

to TeMerc6
I tried to run it from the Facebook link in my sandbox, it wouldn't install for me. Looks like admin privileges are a requirement. I guess it's not surprising people aren't following the basic security steps that (even) Microsoft recommends.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

Blocking unwanted executables from installing is one thing.

In Facebook's case, users encounter third-party applications as part of the site's design, and they choose to install them.

With Facebook's policy,
quote:
we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.
the user is in a quandry.

In my case in working with users, installing from trusted sources is the foundation of part of security. I've never had a user get hit with a virus.

If users can't trust Facebook's third party applications, to wit:
quote:
When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook,
what recourse do these users have?

If you choose to avoid all third party applications, then you miss out on part of the idea of social interaction of the site.

----
rich

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to mysec

Premium Member

to mysec
said by mysec:

... It's ridiculous to use untrusted/unknown executables as part of this social stuff. ...
Fixed it!

This social stuff is merely a subset (however compelling) of general online computer useage. If there's one lesson that needs to be hammered home to new or young users is to never, without exception, use any such executables under any circumstances without first thoroughly checking them out or checking with somebody knowledgeable who can check them out.
mysec
Premium Member
join:2005-11-29

2 edits

1 recommendation

mysec

Premium Member

said by Blackbird:

This social stuff is merely a subset (however compelling) of general online computer useage. If there's one lesson that needs to be hammered home to new or young users is to never, without exception, use any such executables under any circumstances...

I have no quarrel with that policy, and I've advised the teenager I referred to, to continue with that, as she has always done.

My beef is that Facebook has embarked on waters where its users are in a boat with no life raft, which should be provided by Facebook as a policy to screen all applications put up by it's third-party developers.

Their policy is to put the onus on its users, which will result in

1) more users becoming victims

2) users with good security policies missing out on what should be a useful and fun place by avoiding these applications altogether, unless:
said by Blackbird:

... without first thoroughly checking them out or checking with somebody knowledgeable who can check them out.

Agreed, but in this case, Facebook has created a mess, since use of these types of applications are so common on the site.

----
rich

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

2 recommendations

Blackbird

Premium Member

said by mysec:

... My beef is that Facebook has embarked on waters where its users are in a boat with no life raft, which should be provided by Facebook as a policy to screen all applications put up by it's third-party developers.

Their policy is to put the onus on its users, which will result in

1) more users becoming victims

2) users with good security policies missing out on what should be a useful and fun place by avoiding these applications altogether ...
Which brings us full circle to one of the growing problems with all too many corporations in the early 21st Century: a myopic focus on the bottom line extinguishing a genuine sense of social responsibility, particularly in a world of rampant litigation.

I'm convinced that the reason for Facebook not screening all apps are the up-front costs to perform meaningful screening and Facebook's risk of liability when attesting (whether by overt 'certification' or by merely accepting) an app as "safe". So, indeed, the onus is being kicked on down to the user, irregardless of whether the "user" has the experience or judgement needed to navigate the resulting Facebook safely. In some ways, this practice seems like giving bright, shiny toys to toddlers and expecting those toddlers to make smart determinations regarding parts that can be swallowed or paint that contains lead...

I believe what Facebook (and some other similar sites) fail to realize is that at some point, the risks and damaging fallout of using their services with wide-open apps will eventually become so blatant and so obvious to even the inexperienced that the user base will plummet. Word - good, bad, and even erroneous - does travel in this interconnected age.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

You've said it all in a nutshell.

I don't know if there is any solution other than to spread the word, which I've done in contacting several families.

----
rich
TeMerc6
join:2004-01-22
Phoenix, AZ

1 recommendation

TeMerc6

Member

Posted by Caroline McCarthy
January 7, 2008

Good riddance: Facebook has banned the "Secret Crush" application due to its affiliation with a notorious spyware manufacturer.

The social-networking site confirmed the breakup on Monday: "Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware," a statement from the company read. "We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."

»www.news.com/8301-13577_ ··· 1_3-0-20
TeMerc6

TeMerc6

Member

PG weighs in on the whole Facebook\Zango thing and oddly enough, or rightly so, is almost on Zango's side. Ya you read that right.

Like everyone else, I went "ooooh" when I first heard about this. For those who don't know, an application on Facebook - when you installed it - "installed Zango spyware" (according to the numerous writeups), meaning the Zango Adware was the final destination, the main reason, for making this application in the first place.

However, Zango came out swinging with their latest blog post and also claimed they have no affiliation with the makers of the Secret Crush application, which seems a little odd considering the maker of the application would have no direct incentive to install their Adware if they didn't have an account with them.

They also posted up a screenshot that seems to show the application merely showing randomly selected adverts - not just an advert for Zango

»www.vitalsecurity.org/20 ··· -on.html
mysec
Premium Member
join:2005-11-29

mysec to TeMerc6

Premium Member

to TeMerc6
Shortly after this topic appeared, and after looking more closely at the whole scenario of this "application developer" process, I advised those who I know have kids that use Facebook to just prohibit them from installing of *any* of these applications. So far, I've not heard any complaints that they have felt that they've missed out on something by not installing a developer application.

For the older kids who make their own decisions, well, one hopes they don't succumb to peer pressure. See especially the "Joy of Tech" cartoon at the end of this article.

Exclusive: The next Facebook privacy scandal
»www.news.com/8301-10784_ ··· 1_3-0-20
quote:
Facebook's Web site and lengthy application terms of service curiously fail to mention something rather important. In addition to providing the application developer access to most of your private profile data, you also agree to allow the developer to see private data on all of your friends too...

The applications don't actually run on Facebook's servers, but on servers owned and operated by the application developers.
----
rich

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

They just really don't seem to get it do they?

From »www.news.com/8301-10784_ ··· 1_3-0-20 ...
I asked Facebook's Kelly what his company is doing to ensure that application developers do not violate the rules by saving a copy of user data that passes through their servers. He cited "extensive security mechanisms operating behind the scenes," although, he refused to expand on this, due to "security reasons." He wasn't too happy when I accused him of practicing security though obscurity, a concept widely mocked in security circles. He dismissed my charge as a mischaracterization.

Kelly claimed that his company "has a variety of techniques to determine if [developers are saving user data.]" As a PhD student in Information Security, I can quite confidently say that from a technical perspective, this is impossible. Simply put, once the data leaves Facebook's servers, the company has no way of knowing what happens to it. Thus, giving Mr. Kelly the benefit of the doubt, I can only assume that Facebook has a team of trained psychics on staff who use their mysterious powers to ferret out rogue developers.
And this Chris Kelly is Facebook's chief privacy officer!