What “Secret Crush” Widget Can Teach Business About Managing Facebook

The hook was playful: Facebook users received a “Secret Crush Invitation,” saying, “One Of Your Friends Might Have a Crush On You!” But the reality was stark: This malware hiding behind a Facebook widget installed spyware on as many as 1.7 million machines—and taught some lessons about managing social networks that business cannot ignore, say security experts and vendors, including Fortinet, which released a detailed report on the incident.

MORE ON FACEBOOK

How to Create a Successful Facebook Widget

Five Favorite Facebook Widgets for Business Users

Confessions of a Facebook Addict

First, security analysts say, the incident should serve as a reminder that the burden of vetting the legitimacy of third-party widgets—applications that run atop webpages made by developers who don’t work for the host company—rests in the hands of the user. That’s true both at home and work.

“The way it is now, once a widget gets bad enough and people complain, the social networks will yank the application reactively,” says Chris Wysopal, chief technology officer at Veracode, a security vendor that specializes in application testing. “Meanwhile, a million people had their machines compromised by an application.”

Facebook shut down the Secret Crush widget last week after receiving complaints that the application had placed malicious adware onto users’ computers. According to Fortinet, 3 percent of Facebook’s 59 million active users added Secret Crush to their profiles, amounting to roughly 1.7 million people. Zango, an online media company cited in the report as having installed the spyware, issued a statement calling the Fortinet report “untrue.”

To reach that many users, Secret Crush relied on viral popularity, the social engineering model that most Facebook widgets use, says Derek Manky, a security research engineer for Fortinet. Upon getting a Secret Crush invitation, the user could choose to click on a button that said “find out who!:” After clicking, the user saw a Facebook authorization page that asked for permission to add the Secret Crush application. Then a “download now” added a “Crush Calculator” to PC desktop, and at this point, the spyware infiltrated the user’s machine.

Like any Facebook widget, the “add this application” page stated clearly that the user would allow the third-party developer to “know who I am and access my information.” It also said, in bold text, that “Secret Crush was not created by Facebook.” But even with these crystal clear warnings, most users wrongly assume Facebook has vetted the third-party applications before they become available on the directors, says Fortinet’s Manky.

“There’s always a false sense of security they have, which is the root of the problem,” he says. “A lot of the onus is put on the user, because Facebook just has its terms of service and a disclaimer.”

Widgets Have No Safety Net

Facebook seems to have little motivation to deal with the problem more substantively (this is true for its competitors as well). Since Facebook opened up its platform to third-party developers, its directory of applications has grown to more than 12,000. With the wave of widgets, developers have stressed greater user interaction. More interaction makes it easier to sell advertisements, which is how Facebook makes money. “It goes against their business model [to monitor third-party applications more strictly],” says Veracode’s Wysopal.

A reading of Facebook’s terms of use reveals a broadly phrased disclaimer aimed at absolving the social network of liability. In the section about third-party applications, the terms note, “When you install a developer application, you understand that such developer application has not been approved, endorsed, or reviewed in any manner by Facebook, and we are not responsible for your use or inability to use any Developer Applications.” The terms also note, in all capital letters, “YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.”

Even if users bother clicking on the terms, it’s unlikely the majority of users who add third-party applications understand the risks, says Fortinet’s Manky. This pattern of behavior could be increasingly damaging to companies as users of social networks log on at work, exposing the corporate network (and the data that resides on it) to attackers.

Reason to Ban Facebook?

Though it may seem easy to dismiss the Secret Crush widget as a problem for the consumer space, you shouldn’t. Social networking is being embraced by businesses everywhere—and it’s not just about social lives and romance. In a Sept. 2007 Forrester Research survey of IT decision makers at companies with 500 or more employees, almost 70 percent saw limited or moderate business value from the use of social networks. An additional 13 percent saw substantial value.

In the wake of Secret Crush, security analysts say it might be tempting for companies and IT departments to use the incident as an excuse to discourage or even ban the use of consumer social networks.

“If you’re a business, it’s reasonable to lean on the conservative side,” says Veracode’s Wysopal. “Every new platform [like Facebook] has new risks and vulnerabilities.”

But Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, says companies shouldn’t bother making a scapegoat of Facebook. He believes poor Web browser security plays a bigger part in allowing malicious code onto people’s computers (and possibly networks).

“It’d be unfair to point the finger at Facebook,” Grossman says. “Just surfing the Web itself is problematic for users. At the end of the day, there is no browser security.”

The programming languages used by websites today contribute to the porous security, Grossman says. When JavaScript came of age in the 1990s, it helped websites give their users interactive features that led to the Web 2.0 movement—of which Facebook has become a celebrated example. The interactivity created between the website and the user has come at a cost, though. As noted by the annual report from Stopbadware.org, an initiative run by Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute, “when used to distribute badware, JavaScript is often encoded or encrypted to make its malicious nature difficult to detect.”

Educate Users on Risks

At first glance, the best answer for enterprises looking to solve the social networking security problem would seem to be internal, enterprise-worthy social networks, populated only by those in the corporation. But viable enterprise options have been limited. While IBM, for example, came out with its Lotus Connections software suite, which includes social networking for employees, adoption of the function has been slow, according to Oliver Young, a Forrester analyst who’s following a new social networking tool for Connections. “Few firms have implemented a large-scale social network like Lotus Connections,” he notes.

Vendors, including IBM, remain tight-lipped about how many companies utilize the social network profiles of software suites.

Meanwhile, startup vendors have responded by designing business applications and tools that leverage the power of consumer social networks like Facebook. About a week before the New Year, WorkLight, a Web 2.0 startup, announced it had built a tool for Facebook that allows users from one company to share corporate data with one another safely, without compromising that information to unsanctioned users.

Until more tools become developed, security experts say that corporate IT departments must encourage better user education. In addition, IT leaders should make sure to share stories about identity theft and other random incidents (like Secret Crush) where users machines were damaged by malware.

“They (users) need to be more paranoid,” says Grossman.