Fortinet’s so-called “Advisory,” issued Wednesday with the attention-seeking headline "Facebook Widget Installing Spyware," is completely false as it relates to Zango. A thorough investigation by Zango security personnel reveals no silent or surreptitious installation of any software, much less any “spyware,” by or in connection with the “Secret Crush” widget. Zango has attempted in multiple ways to communicate with Fortinet, all of which have been substantively unsuccessful. The Secret Crush widget is not affiliated with Zango.
The errors start with the Advisory’s headline, which is (at best) inaccurate and misleading. At no point in adding the Secret Crush widget to a Facebook profile does the widget install either spyware or Zango software, or even attempt to do so. Any suggestion that Zango software is being “secretly installed” is simply not true. Moreover, our general security monitoring of the Zango network has shown no abnormal increase in installations – something we would have seen based on the reported usage numbers of the Secret Crush widget.
It is Figure 5 in the Fortinet Advisory where Zango’s desktop advertising software enters the story. Figure 5, which we could not re-create or re-generate, appears to be an ad in an IFrame delivered to a Facebook user after he or she has added the Secret Crush widget to a Facebook profile. The screenshot below shows the ad we saw yesterday during our investigative efforts.
Ad delivered January 3, 2008 during Zango’s attempts to re-create Figure 5 from the Fortinet Advisory. This ad has no connection to Zango or Zango software.
If clicked, the above ad, like the one in Figure 5 of the Fortinet Advisory, takes a consumer to a marketing offer – in the above case, a sign-up page for a subscription horoscope service sent to a cell phone. That offer is unaffiliated with Zango. In the case of the Zango ad seen by Fortinet, if clicked it would have taken a consumer to Zango’s standard plain-language notice and consent page where consumers could choose to install Zango software and access (without subscription) a Zango Astrology application – or choose not to install the software. Although we did not purchase this ad directly, it was placed by one of our advertising partners within the Facebook system, which appears to be a completely legitimate practice.
We applaud Fortinet for reminding the Internet community of the possible privacy issues associated with widgets on social networking sites. That real and important message is diluted by the inclusion of obvious and avoidable errors. Fortinet did not bother to seek Zango’s input on its Advisory prior to its release.
Zango is committed to consumer transparency and value and will continue to aggressively investigate any concerns that arise. In this case, there are no concerns relating to Zango.
Zango Advisory: As of this posting, the Zango security team has observed that the Secret Crush widget on Facebook is now called the “My Admirer” widget.