The hook was playful: Facebook users received a "Secret Crush Invitation," saying, "One Of Your Friends Might Have a Crush On You!" But the reality was stark: This malware hiding behind a Facebook widget installed spyware on as many as 1.7 million machines—and taught some lessons about managing social networks that business cannot ignore, say security experts and vendors, including Fortinet, which released a detailed report on the incident.

First, security analysts say, the incident should serve as a reminder that the burden of vetting the legitimacy of third-party widgets—applications that run atop webpages made by developers who don't work for the host company—rests in the hands of the user. That's true both at home and work.

"The way it is now, once a widget gets bad enough and people complain, the social networks will yank the application reactively," says Chris Wysopal, chief technology officer at Veracode, a security vendor that specializes in application testing. "Meanwhile, a million people had their machines compromised by an application."

Facebook shut down the Secret Crush widget last week after receiving complaints that the application had placed malicious adware onto users' computers. According to Fortinet, 3 percent of Facebook's 59 million active users added Secret Crush to their profiles, amounting to roughly 1.7 million people. Zango, an online media company cited in the report as having installed the spyware, issued a statement calling the Fortinet report "untrue."

To reach that many users, Secret Crush relied on viral popularity, the social engineering model that most Facebook widgets use, says Derek Manky, a security research engineer for Fortinet. Upon getting a Secret Crush invitation, the user could choose to click on a button that said "find out who!:" After clicking, the user saw a Facebook authorization page that asked for permission to add the Secret Crush application. Then a "download now" added a "Crush Calculator" to PC desktop, and at this point, the spyware infiltrated the user's machine.

Like any Facebook widget, the "add this application" page stated clearly that the user would allow the third-party developer to "know who I am and access my information." It also said, in bold text, that "Secret Crush was not created by Facebook." But even with these crystal clear warnings, most users wrongly assume Facebook has vetted the third-party applications before they become available on the directors, says Fortinet's Manky.