Zango Strikes Back: Says Fortinet Report on Facebook Malware is “Fundamentally Untrue”

Online media vendor Zango says it isn’t attacking Facebook users with malware. In a recent report, security vendor Fortinet claimed Zango was installing spyware when Facebook members chose to use the”Secret Crush” widget, a small application that enticed people with phrases such as “one of your friends might have a crush on you!” (We previously published an article on the report.)

In a recent phone call with CIO.com, however, Kevin Osborne, Zango’s associate corporate counsel, called Fortinet’s claims “fundamentally untrue.” Osborne says he believes that when Fortinet researchers installed the “Secret Crush” widget, they were led to a standard page that verified that the widget had been added to the user’s profile. At that point, Osborne contends, Fortinet saw a legitimate advertisement for Zango that was automatically generated by Facebook. Osborne says that Zango would not have installed any software without the user’s permission.

Osborne added that the maker of Secret Crush, a company called Mobile Marketing, was in no way affiliated with Zango. Zango posted a blog post to its company site further refuting Fortinet’s claims.

Fortinet declined an interview with CIO.com, but it issued the following statement: “After additional investigation, Fortinet confirms that our research related to the ‘Secret Crush’ (Facebook Widget) was accurate as of posting our advisory on January 2, 2008. The behavior shown in our screen shots simply showcases the observations the FortiGuard Global Security Research Team made on that date. We stand behind our original research.”