Zango Pleads ‘Not Guilty’ in Facebook Adware Flap

Online media firm Zango is firing back after a highly publicized security warning charged it with illicitly propagating adware through a rapidly spreading Facebook widget.

Zango executives told that security researchers at Fortinet, who initially identified the now-infamous “Secret Crush” widget and labeled it as spyware, were mistaken in blaming it on Zango.

“Fortinet’s ‘Facebook Widget Installing Spyware’ advisory is blatantly untrue,” Zango CEO Keith Smith said in the statement. “The falsification of a security report is absolutely irresponsible and reprehensible. Fortinet should do the right thing and correct its advisory.”

The Secret Crush widget ultimately spread to more than 1.5 million Facebook users before the social networking site disabled it for violating its terms of service. The site also said it contacted the widget’s developer, though it has yet to indicate who it might be.

Facebook also warned its users to exercise caution when installing applications from third-party developers.

The issue came to light when researchers at Fortinet reported a rapidly spreading Facebook widget was enticing users to download adware from Zango by promising to reveal the identity of a secret admirer.

The Secret Crush application (later renamed “My Admirer”) insisted that users forward it along to at least five friends before they could learn which one of their virtual pals was sweet on them. Once users forwarded the widget, Fortinet claimed they were directed to a screen prompting them to download adware from Zango, with no admirer ever being revealed.

Now, Zango is defending itself. The company’s downloadable software — which includes games, screensavers, browser add-ons, horoscope apps and other products — commonly launch pop-up ads. But in an interview with, Smith emphatically denied any connection between the Secret Crush widget and Zango.

“We have nothing to do with that widget — it is entirely unassociated with us,” he said.

Smith said the confusion likely arose over the widget’s installation sequence. After installing Secret Crush, users were directed to a revolving ad placement that was separate from the widget itself, he said.

Zango’s ad — which the firm said had been placed through an ad network — just happened to be the one that the Fortinet researchers based their report on, he said.

In its own subsequent testing of the Secret Crush widget, Smith said that Zango’s team never saw its ad appear. Just the same, Zango pulled the ad from the network, he said.

Smith also took issue with Fortinet’s designation of its software as “spyware/adware,” and with‘s own description of its downloadable software as “malware”.

He said that Zango’s applications are legitimate advertising-supported software.

Yet in an updated advisory, Fortinet did not back down from its charges against Zango, continuing to describe Zango’s application as “spyware/adware.”

Spokespeople at the security firm declined to comment on whether the installation of the Secret Crush widget could direct the user to placements from firms other than Zango.

The only substantive addition to Fortinet’s warning was a screen shot of a message, evidently posted by the widget’s anonymous developer, that now greets users trying to access the blocked Secret Crush widget.

In the note, the developer apologized for any problems arising from the application, and expressed regret that some users had been directed by a third-party ad network to a Zango application.

While it’s unclear who’s at fault, the debate isn’t the first time that Zango has come under scrutiny for its advertising practices. In November 2006, Zango reached a $3 million settlement with the Federal Trade Commission and agreed not to install its adware without providing clear and prominent disclosure and obtaining informed consent.

News Around the Web