More than one million Facebook users could be affected by a malicious widget.
Researchers from security firm Fortinet have uncovered a malicious widget running amok within the Facebook social networking community.
The widget displays in the form of a "Secret Crush" request inviting users to find out who of their friends might have the hots for them.
But the widget acts as a social worm, prompting users to unwittingly download the infamous Zango adware/spyware application, and to recommend the contact details of five further friends to do the same.
Those who have seeded the program within Facebook are cashing in, getting rewarded "per click", said Fortinet.
The widget is already being used by 3% of the Facebook community, Fortinet said, which amounts to more than one million users.
Fortinet has issued an advisory on the malicious widget.