Facebook Crush app reveals spyware but no lovers

Security firm Fortinet has warned that Facebook users face certain disappointment and possible spyware if they attempt to discover who sent them a "Secret Crush" application invite.

Recipients of the Secret Crush invitation are lured to install the application by the promise of finding the so-called sender's identity, which the application hints it will only divulge once the recipient accepts the terms and conditions -- giving the developer access to personal information -- and then invites five friends to install the application as well.

After following the procedures, rather than discovering the identity of the sender, the recipient merely installs a horoscope-based "Crush Calculator" application, which delivers advice on the compatibility of different users that have installed the application.

However, Fortinet's claims of improper behaviour centre on the alleged surreptitiously-installed spyware that is packaged with the application by adware company, Zango.

In November, 2006 Zango, formerly 180solutions, was forced to cede an amount of US$3 million in what the US Federal Trade Commission labelled "ill-gotten gains". Recently, Zango lost its lawsuit against antivirus vendor Kaspersky, after it claimed Zango was a threat to users.

However Zango denies Fortinet's claims, saying it is a victim of circumstance since its iFrame ad became associated with the Secret Crush application due to a third-party advertising partner, which set Zango's ad to appear on Facebook when a user installs the "Secret Crush" application -- a practice Zango claims is "completely legitimate".

"At no point in adding the Secret Crush widget to a Facebook profile does the widget install either spyware or Zango software, or even attempt to do so. Any suggestion that Zango software is being 'secretly installed' is simply not true," Zango claimed on its blog.

"Moreover, our general security monitoring of the Zango network has shown no abnormal increase in installations -- something we would have seen based on the reported usage numbers of the Secret Crush widget," it added. Following initial warnings of the application, Secret Crush was renamed to My Admirer and subsequently disabled.

Fortinet estimates that around three percent of Facebook users currently have the Secret Crush widget installed.

CNET News.com's Robert Vamosi contributed to this report