I have been predicting this problem for some time, and it has now happened.
There are very few controls on who can create a Facebook application (or widget), and what they can be programmed to do. Also, Facebook users are being trained to accept a collection of permission settings each time they install a new application. The result seemed inevitable — someone would create a nasty application that did bad things.
This article describes how the “Secret Crush” widget installs spyware on Facebook users’ computers without them knowing. This is bad, and it is just the beginning of Facebook application problems.
Fortinet Global Security Research Team discovered a malicious Facebook Widget (officially, a “Platform Application”) actively spreading on the social networking site which ultimately prompts users to install the infamous “Zango” adware/spyware.
As of writing, the widget is already being used by 3% of the Facebook community, which amounts to over one million users – all in a very small time-frame. This demonstrates the effectiveness of the propagation strategy employed by the widget, as well as the potential capitalization on a large user base such as Facebook’s.