2 recommendations |
Facebook Widget Installs Zango2008.January.02 Fortinet Global Security Research Team discovered a malicious Facebook Widget (officially, a "Platform Application") actively spreading on the social networking site which ultimately prompts users to install the infamous "Zango" adware/spyware.The malicious widget, called "Secret Crush" first appears as a Facebook request 'secret crush'. In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush'. Clicking the "Find Out Who!" button leads to the standard third-party application install page essentially stating that the referred application will be granted access to user's details upon installation. » www.fortiguardcenter.com ··· -16.html |
|
TeMerc6
1 recommendation |
Detailed analysis here: » holisticinfosec.blogspot ··· ook.htmlIPs called: 66.150.14.74 Zango 66.150.14.65 Zango 66.150.14.61 Zango 64.94.137.72 Zango URLs: hxx//installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html hxx//installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html hxx//installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe hxx//static.zangocash.com/Setup/Update/ hxx//public.zangocash.com/php/rpc_uci.php hxxp://te.seekmo.com/TrackedEvent.aspx hxxp://te1.zango.com/te.aspx Links munged to avoid any one clicking. |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire 1 edit
1 recommendation |
Cudni
MVM
2008-Jan-4 9:57 am
Thanks for the warning.
from the 2nd link "... If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious? .."
I would call it adware if a user knowingly installs a piece of software that could, without the consent fact, be classified as spyware
edit: by knowingly I meant being aware of and having read and understood the Eula (as much as Eulas can be understood)
Cudni |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
Just Bob
Premium Member
2008-Jan-4 1:18 pm
I must be in a bad mood today. I've come to the conclusion that a name change (researchware?) doesn't change the function. » en.wikipedia.org/wiki/Duck_test |
|
1 recommendation |
Rebuttal by Zango below and FYI » blog.zango.com/PermaLink ··· 71b.aspxZango Advisory: As of this posting, the Zango security team has observed that the Secret Crush widget on Facebook is now called the My Admirer widget.So if it's so innocent why the name change?? |
|
mysec Premium Member join:2005-11-29
1 recommendation |
to TeMerc6
Question for the Facebook "experts":
The Fortinet writeup states that in order for the user to "Find out who" -- she/he has to agree to install an executable file.
Is this (installing an executable file) a common occurrence on Facebook to participate in different activities?
---- rich |
|
1 recommendation |
to TeMerc6
Some updated info from Fortinet: quote: As of January 4, 2008 the widget's installed user base has grown from 3% to 4% of Facebook users, and has changed its name from "Secret Crush" to "My Admirer". Further, when attempting to install the "My Admirer" widget, the message: "The developer of this application does not currently allow it to be added." appears, halting the installation process.
Scroll down link [ close to bottom ] » www.fortiguardcenter.com ··· -16.html-k- |
|
mysec Premium Member join:2005-11-29
1 recommendation |
mysec
Premium Member
2008-Jan-4 10:01 pm
said by mysec:Is this (installing an executable file) a common occurrence on Facebook to participate in different activities? I found my answer: » www.internetnews.com/sec ··· /3719851quote: The current system places the onus of security entirely on Facebook users, who are so accustomed to installing third-party applications that come recommended by friends that security concerns are often overlooked, Manky said.
Hmmm.... ---- rich |
|
2 recommendations |
Social engineering working to its potential. People go online and think because they're sitting in their homes they can't get 'hurt'. |
|
1 recommendation |
said by TeMerc6:Social engineering working to its potential. People go online and think because they're sitting in their homes they can't get 'hurt'. And don't forget this aspect - what teenager wouldn't want to know who's 'admiring' them secretly over being security-minded. |
|
mysec Premium Member join:2005-11-29 1 edit
1 recommendation |
mysec
Premium Member
2008-Jan-5 1:09 am
I see this is all a part of Facebook's "Third Party Developer Platform" which encourages people to write their own applications for use on the site.
Nice, in theory. A can of worms, in practice.
How can one ever be sure when installing executables on an open social network site?
I have just two families that use these - I think one uses Facebook.
In one family, the kids are young and the computer has Anti-Executable installed which lets the parents control what gets installed.
In the other, the older teenager is in charge of her own computer. She knows not to click-to-install anything that pops up (plug-ins, etc), but this is different.
It's ridiculous to use untrusted/unknown executables as part of this social stuff.
If you tell kids to say "No" to everything, they will be deprived of part of the experience of the site.
---- rich |
|
mysec
1 recommendation |
mysec
Premium Member
2008-Jan-5 1:17 am
Some links: Facebook Launches Facebook Platform; They are the Anti-MySpace » www.techcrunch.com/2007/ ··· myspace/quote: The payoff is two way. Not only do developers get deep access to Facebook's twenty million users, Facebook also becomes a rich platform for third party applications.
Facebook's strategy is almost the polar opposite from MySpace. While MySpace frets over third party widgets, alternatively shutting them down or acquiring them, Facebook is now opening up its core functions to all outside developers.
Platform Application Terms of Use » developers.facebook.com/ ··· erms.phpquote: III. Use of Platform Applications
(a) Developer Applications. When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook, and we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.
Developers may require you to agree to their own terms of service, privacy policies and/or other policies as a condition of using Developer Applications. Those terms and/or policies may give Developers rights with respect to your Facebook Site Information beyond those provided by the Developer Agreement. PLEASE REVIEW EACH DEVELOPER'S TERMS AND/OR POLICIES CAREFULLY.
|
|
Cabal Premium Member join:2007-01-21 |
to TeMerc6
I tried to run it from the Facebook link in my sandbox, it wouldn't install for me. Looks like admin privileges are a requirement. I guess it's not surprising people aren't following the basic security steps that (even) Microsoft recommends. |
|
mysec Premium Member join:2005-11-29 |
mysec
Premium Member
2008-Jan-5 2:41 pm
Blocking unwanted executables from installing is one thing. In Facebook's case, users encounter third-party applications as part of the site's design, and they choose to install them. With Facebook's policy, quote: we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.
the user is in a quandry. In my case in working with users, installing from trusted sources is the foundation of part of security. I've never had a user get hit with a virus. If users can't trust Facebook's third party applications, to wit: quote: When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook,
what recourse do these users have? If you choose to avoid all third party applications, then you miss out on part of the idea of social interaction of the site. ---- rich |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
to mysec
said by mysec:... It's ridiculous to use untrusted/unknown executables as part of this social stuff. ... Fixed it! This social stuff is merely a subset (however compelling) of general online computer useage. If there's one lesson that needs to be hammered home to new or young users is to never, without exception, use any such executables under any circumstances without first thoroughly checking them out or checking with somebody knowledgeable who can check them out. |
|
mysec Premium Member join:2005-11-29 2 edits
1 recommendation |
mysec
Premium Member
2008-Jan-5 3:17 pm
said by Blackbird:This social stuff is merely a subset (however compelling) of general online computer useage. If there's one lesson that needs to be hammered home to new or young users is to never, without exception, use any such executables under any circumstances... I have no quarrel with that policy, and I've advised the teenager I referred to, to continue with that, as she has always done. My beef is that Facebook has embarked on waters where its users are in a boat with no life raft, which should be provided by Facebook as a policy to screen all applications put up by it's third-party developers. Their policy is to put the onus on its users, which will result in 1) more users becoming victims 2) users with good security policies missing out on what should be a useful and fun place by avoiding these applications altogether, unless: said by Blackbird:... without first thoroughly checking them out or checking with somebody knowledgeable who can check them out. Agreed, but in this case, Facebook has created a mess, since use of these types of applications are so common on the site. ---- rich |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN
2 recommendations |
said by mysec:... My beef is that Facebook has embarked on waters where its users are in a boat with no life raft, which should be provided by Facebook as a policy to screen all applications put up by it's third-party developers. Their policy is to put the onus on its users, which will result in 1) more users becoming victims 2) users with good security policies missing out on what should be a useful and fun place by avoiding these applications altogether ... Which brings us full circle to one of the growing problems with all too many corporations in the early 21st Century: a myopic focus on the bottom line extinguishing a genuine sense of social responsibility, particularly in a world of rampant litigation. I'm convinced that the reason for Facebook not screening all apps are the up-front costs to perform meaningful screening and Facebook's risk of liability when attesting (whether by overt 'certification' or by merely accepting) an app as "safe". So, indeed, the onus is being kicked on down to the user, irregardless of whether the "user" has the experience or judgement needed to navigate the resulting Facebook safely. In some ways, this practice seems like giving bright, shiny toys to toddlers and expecting those toddlers to make smart determinations regarding parts that can be swallowed or paint that contains lead... I believe what Facebook (and some other similar sites) fail to realize is that at some point, the risks and damaging fallout of using their services with wide-open apps will eventually become so blatant and so obvious to even the inexperienced that the user base will plummet. Word - good, bad, and even erroneous - does travel in this interconnected age. |
|
mysec Premium Member join:2005-11-29 |
mysec
Premium Member
2008-Jan-5 4:20 pm
You've said it all in a nutshell.
I don't know if there is any solution other than to spread the word, which I've done in contacting several families.
---- rich |
|
1 recommendation |
Posted by Caroline McCarthy January 7, 2008 Good riddance: Facebook has banned the "Secret Crush" application due to its affiliation with a notorious spyware manufacturer.The social-networking site confirmed the breakup on Monday: "Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware," a statement from the company read. "We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service." » www.news.com/8301-13577_ ··· 1_3-0-20 |
|
TeMerc6 |
PG weighs in on the whole Facebook\Zango thing and oddly enough, or rightly so, is almost on Zango's side. Ya you read that right. Like everyone else, I went "ooooh" when I first heard about this. For those who don't know, an application on Facebook - when you installed it - "installed Zango spyware" (according to the numerous writeups), meaning the Zango Adware was the final destination, the main reason, for making this application in the first place.
However, Zango came out swinging with their latest blog post and also claimed they have no affiliation with the makers of the Secret Crush application, which seems a little odd considering the maker of the application would have no direct incentive to install their Adware if they didn't have an account with them.
They also posted up a screenshot that seems to show the application merely showing randomly selected adverts - not just an advert for Zango» www.vitalsecurity.org/20 ··· -on.html |
|
mysec Premium Member join:2005-11-29 |
to TeMerc6
Shortly after this topic appeared, and after looking more closely at the whole scenario of this "application developer" process, I advised those who I know have kids that use Facebook to just prohibit them from installing of *any* of these applications. So far, I've not heard any complaints that they have felt that they've missed out on something by not installing a developer application. For the older kids who make their own decisions, well, one hopes they don't succumb to peer pressure. See especially the "Joy of Tech" cartoon at the end of this article. Exclusive: The next Facebook privacy scandal » www.news.com/8301-10784_ ··· 1_3-0-20quote: Facebook's Web site and lengthy application terms of service curiously fail to mention something rather important. In addition to providing the application developer access to most of your private profile data, you also agree to allow the developer to see private data on all of your friends too...
The applications don't actually run on Facebook's servers, but on servers owned and operated by the application developers.
---- rich |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
Blackbird
Premium Member
2008-Jan-23 11:44 pm
They just really don't seem to get it do they? From » www.news.com/8301-10784_ ··· 1_3-0-20 ... I asked Facebook's Kelly what his company is doing to ensure that application developers do not violate the rules by saving a copy of user data that passes through their servers. He cited "extensive security mechanisms operating behind the scenes," although, he refused to expand on this, due to "security reasons." He wasn't too happy when I accused him of practicing security though obscurity, a concept widely mocked in security circles. He dismissed my charge as a mischaracterization.
Kelly claimed that his company "has a variety of techniques to determine if [developers are saving user data.]" As a PhD student in Information Security, I can quite confidently say that from a technical perspective, this is impossible. Simply put, once the data leaves Facebook's servers, the company has no way of knowing what happens to it. Thus, giving Mr. Kelly the benefit of the doubt, I can only assume that Facebook has a team of trained psychics on staff who use their mysterious powers to ferret out rogue developers. And this Chris Kelly is Facebook's chief privacy officer! |
|
|