Facebook Applications Aren’t Always Your Friends

Facebook I came across a worrying article today at online security site Fortinet.

The post (also picked up by Help Net Security) details how a rogue Facebook application allegedly dupes users into installing the infamous "Zango" adware/spyware and inviting friends to do the same.

Facebook screenshot 1 Zango disputed the claim, saying the application was nothing to do with them. The company insisted that the screenshots showed an ad they placed legitimately through Facebook, and that the application seemed to show random ads to users.

Facebook screenshot 2That may be true, as the widget was ultimately disabled by its makers once they realized people were being redirected to Zango’s site. By this point, the application had been installed by 4% of Facebook’s 60 million users (or 2.4 million people).

Facebook screenshot 3

Wider Issues?

This one case notwithstanding, this is an important reminder to be careful online. It’s also a good illustration of some of how Facebook conditions its users to give away their information and some of the risks associated with that.

In a nutshell, malicious applications can get access to your computer in three steps.

Step 1: Get users to share their information with the application

As with all Facebook applications, the first step of the process involved getting users to share their information with the application.

This doesn’t scare many Facebook users – they’re used to giving access to applications. This particular application informed people that someone had a secret crush on them. The resulting curiosity, combined with this conditioning, meant over 2 million people shared their information.

Step 2: Get users to invite others

The application then informs users that before they can proceed, they need to invite at least five friends to join too.

In a way, this is genius – people willingly spread the application causing the problem.

As Fortinet notes:

Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process.

Step 3: Redirect users to the malicious site

In this case, the page redirected to an ad from Zango that redirected users to a page within their own site.

As applications can redirect a page frame to a third-party site, it would be easy to direct users to a well-designed site that cons people into installing malicious software.

Bottom line: Don’t be lulled into a false sense of security just because you’re on Facebook. Be careful with what you install on your computer. Everything isn’t always what it seems.

  • For more details about the great deal of silliness that’s been written about this, see my blog posting at:


    Ken Smith
    CTO, Zango

  • Hi Ken,

    I’m impressed that you keep an eye out for posts talking about your company. Thanks for the link bait.

    I’d be interested to hear your thoughts on how this kind of situation can be avoided, and perhaps how Facebook apps could be improved to avoid harming both consumers and companies.


  • Sorry, just now discovered this request for dialog, nearly six months later :-(.

    The fundamental issue isn’t Facebook apps, but rather, dangerous third-party content that gets distributed through ad networks. (I should hasten to say that Zango’s software does NOT fall into this category.) The problem exists any time you visit a website that links to a third-party ad network that doesn’t do a great job of scrubbing its advertisers. A LOT of hackers now have accounts on second or third tier ad networks, and they place exploit code on sites that their “ads” redirect to. Most ad networks are pretty good about cleaning stuff like this up, but I’ve run into some that simply ignore any reports of problems with their advertisers. IMO, the security community should be VERY aggressive about outing advertisers who fail to take this problem seriously.

    There’s room for a technology solution here as well. Companies like SiteScout and their competitors can do a lot to flag potentially dangerous landing pages for review by the ad network in question. But first you have to understand what the real prolem is, and then take the problem seriously, and I don’t see much sign that folks are doing either of those yet.

  • Robert

    Since a couple of days ago I’ve been getting bombarded by app redirects on facebook to various advertising sites – some are adult related, others are different.

    I scanned my system for spyware – nothing detected. Could this be a facebook spyware / virus or is facebook now allowing app developers to maliciously do this??

  • Lesley

    can somebody, anybody talk me thru making a facebook application please. i have no idea what i am doin. i could really do with some help.