Facebook widgets try to install spyware
Fortinet security team warns about spyware which spreads through the Facebook social networking site. According to the advisory, the spyware uses the Facebook widget feature, which allows users to integrate their own programs into the pages of the web portal. When attacked a user is informed that "Someone has a Secret Crush on you". To find out who this person is, the user is then instructed to install the "Secret Crush" widget. However, in order to proceed, the user has to invite an additional five contacts to install the widget.
The widget itself contains an IFrame which links to the Zango adware/spyware. Upon installation, Zango injects advertisements and other content. Although the user still has to install the software, Fortinet believes that the sender of these "Secret Crush" invitations exploits the carefree nature of Facebook users. Those who are prepared to publish personal information also don't hesitate to install widgets and click on various links. In principle, widgets could be exploited to slip users IFrames to pages which infect systems through browser vulnerabilities, similar to the exploits which used the MPack web attack toolkit last year. Facebook has been informed about the problem.
- Facebook Widget Installing Spyware, Fortinet advisory