Facebook's "Secret Crush" malicious widget tricks users

ronjor · Jan 4, 2008

That's according to security firm Fortinet, which says it discovered the sneaky Secret Crush malicious code in the last few days, which appears so far to have infected about three million Facebook users.
Click to expand...

Story

Rmus · Jan 5, 2008

Last year Facebook announced their third-party developer platform. I didn't pay much attention to it. I should have.

Facebook Launches Facebook Platform; They are the Anti-MySpace
http://www.techcrunch.com/2007/05/24/facebook-launches-facebook-platform-they-are-the-anti-myspace/

The payoff is two way. Not only do developers get deep access to Facebook's twenty million users, Facebook also becomes a rich platform for third party applications.

Facebook's strategy is almost the polar opposite from MySpace. While MySpace frets over third party widgets, alternatively shutting them down or acquiring them, Facebook is now opening up its core functions to all outside developers.
Click to expand...

Platform Application Terms of Use
http://developers.facebook.com/user_terms.php

III. Use of Platform Applications

(a) Developer Applications. When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook, and we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.

Developers may require you to agree to their own terms of service, privacy policies and/or other policies as a condition of using Developer Applications. Those terms and/or policies may give Developers rights with respect to your Facebook Site Information beyond those provided by the Developer Agreement.
PLEASE REVIEW EACH DEVELOPER'S TERMS AND/OR POLICIES CAREFULLY.
Click to expand...

How will someone be able to trust any third-party application (executable) that appears on the site? My one user of Facebook - a teenager - knows not to click-to-install anything that pops up on the screen. But this is different.

If you tell your users to say "NO" to everything, then they are deprived of part of the site's activities.

I suppose running the browser in a Sandbox will be one solution...

----
rich

Log in or Sign up

Facebook's "Secret Crush" malicious widget tricks users

ronjor Global Moderator

Rmus Exploit Analyst

Log in or Sign up

Facebook's "Secret Crush" malicious widget tricks users

ronjor Global Moderator

Rmus Exploit Analyst

Useful Searches