New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Switcher Hangout The place for switchers to discuss their new machines, and how to work with OS X. General support can be had here for newbie stuff, like "How do I restart my new iMac?" :)

WARNING: Widgets can hijack your dashboard


Post Reply New Thread Subscribe

 
Thread Tools
Thud
Guest
 
Posts: n/a

This is not good....

http://www.tuaw.com/2005/05/07/the-p...-with-widgets/


I haven't installed the "demo" widget. But here's the summary:

1) Widgets cannot be removed from the widget bar once they are installed (according to Apple's help files), unless you edit an XML file and reboot.

2) By default, widgets will auto-install automatically through safari, WITHOUT PROMPTING or asking for a password. The article shows how to disable this "feature."

3) Widgets can be made to use an obscene image as its icon, which will then take permanent residence in your widget bar, until you do some XML file editing (see #1)

4) A widget can be programmed to load a particular web page in the browser (which also closes the dashboard). This means that you effectively cannot open the dashboard (because it closes immediately) and thus you can't remove the offending widget from the dashboard, after the widget was installed automatically without your permission!


Well, as both a windows and mac user, I would like to welcome mac users to the wonderful world of spyware, and something that doesn't exist in the windows world -- Dashboard Hijackers.
The question is, will Apple fix this gaping security hole before somebody exploits it?
QUOTE Thanks
Apple
Guest
 
Posts: n/a

I always was just able to delete the widget file out of ~/Library/Widgets then reboot my comp to get rid of some.
This is very scary though
QUOTE Thanks
iWhat

 
iWhat's Avatar
 
Member Since: Nov 11, 2004
Location: Toledo, Ohio
Posts: 5,734
iWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond reputeiWhat has a reputation beyond repute
Mac Specs: Macbook, iMac G5, iPad, iPhone 4, iPod (MANY)!

iWhat is offline
I adjusted my prefs, thanks for the heads up.
QUOTE Thanks
donnation25

 
donnation25's Avatar
 
Member Since: Feb 18, 2005
Posts: 120
donnation25 is on a distinguished road
Mac Specs: 20" iMac G5 1GB RAM Superdrive; 12" powerbook 512mb RAM G4 Superdrive

donnation25 is offline
Me Too!!!
QUOTE Thanks
torchy

 
torchy's Avatar
 
Member Since: Aug 25, 2004
Location: New Zealand
Posts: 760
torchy is a jewel in the roughtorchy is a jewel in the rough
Mac Specs: 13" MBA. 15" MBP. iPhone 4. 3G Pad 2.

torchy is offline
I would have thought that removing them from ~ user library > widgets and trashing them would have been enough. I have already removed a few that didn't work as expected. No sign of the removed ones now. A reboot would make sure.
Looks a bit like FUD.
I've always had the pref. option to open safe files after downloading unticked ~ too long on windows :-)

~ 13" MacBook Air. OSX 10.9 ~ iPad 2 & iPhone ~
QUOTE Thanks
Avalon

 
Avalon's Avatar
 
Member Since: Jun 25, 2004
Location: Luxemburg, Europe
Posts: 1,779
Avalon is just really niceAvalon is just really niceAvalon is just really niceAvalon is just really nice
Mac Specs: PowerMac G5 Dual 2GHz (June 2004), 2.5GB, Airport, black 5G iPod 30GB, white MacBook 2.0 2GB

Avalon is offline
To remove a widget outside of Dashboard, delete it from ~/Library/Widgets (and from your Trash, afterwards) and relaunch the Dock. Dashboard seems to be part of the Dock, and after relaunching it, the deleted Widget is not anymore in the Widget-bar.
To relaunch the Dock, you can use for example TinkerTool, or simply log out and log in again. There's definitely no need to restart the Mac. Just make sure that, when you delete the Widget from ~/Library/Widgets you also empty the trash, or at least delete the Widget from the trash to permanently remove it.

This is, of course, not the way it should be. Apple should have given an option to remove a Widget in a more easy way(as we are used to from them).
And the fact that Safari, by default, opens every downloaded file is not really secure either...reminds me of Internet Explorer...
Since version 2.0, Safari does however give you a warning when a downloaded file is executable...except for Widgets, which, in my opinion, is a serious flaw.

EDIT: Another option to relaunch the Dock is going to the Terminal and typing killall Dock (case sensitive).
QUOTE Thanks
Macman

 
Macman's Avatar
 
Member Since: Oct 30, 2004
Location: San Antonio, Texas
Posts: 4,374
Macman has a spectacular aura about
Mac Specs: PowerMac G4 Cube 450mhz 832mb

Macman is offline
thanks for the heads up, I don't have tiger yet, but useful info for when I get it. thanks.
QUOTE Thanks
schweb

 
schweb's Avatar
 
Member Since: Oct 27, 2002
Location: Cleveland, Ohio
Posts: 13,198
schweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond reputeschweb has a reputation beyond repute
Mac Specs: MacBook Pro | LED Cinema Display | iPhone 4 | iPad 2

schweb is offline
It's very easy to remove widgets. I think this article is way overblown. BTW, a nice new app is out that gives you a preference pane for managing widgets:

http://www.macupdate.com/info.php/id/17990

schweb | community leader
flickr facebook twitter tumblr google+ about.me

Mac-Forums: On Twitter | On Facebook | On Flickr

QUOTE Thanks
jessica
Guest
 
Posts: n/a

[newbie alert] when you all say "I updated my prefs" can you elaborate on that?
QUOTE Thanks
Amen-Moses

 
Member Since: Apr 25, 2003
Location: The home of the free and the land that did for Braveheart.
Posts: 1,301
Amen-Moses is just really niceAmen-Moses is just really niceAmen-Moses is just really niceAmen-Moses is just really nice
Mac Specs: 24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs

Amen-Moses is offline
Quote:
Originally Posted by jessica
[newbie alert] when you all say "I updated my prefs" can you elaborate on that?
Go Safari->Preferences and 'untick' the 'Open "safe" files after downloading' option.

Amen-Moses
QUOTE Thanks
Ex_PC_Puke
Guest
 
Posts: n/a

Interesting - and coming from the windows world - I did have a concern about dashboard objects as being an entry point into the OS --- I wold hope that Apple would ensure that a widget has certain rules as they are either

- Totally passive just displaying info
- Interactive making a request - then displaying results

A widget should only be able to opeaterate in the memory space allowed for widgets and should have some limit on memory foot print

Widgets do need to be contained !!!!

Apple may need to make a widget manager / snooper
- helps you totally exorcise (with predjudice) a widget from the dash board
- Snoops for strange widget behavior
- Bandwidth hogging
- sending / receiving too much crap i.e. bandwidth
QUOTE Thanks
Amen-Moses

 
Member Since: Apr 25, 2003
Location: The home of the free and the land that did for Braveheart.
Posts: 1,301
Amen-Moses is just really niceAmen-Moses is just really niceAmen-Moses is just really niceAmen-Moses is just really nice
Mac Specs: 24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs

Amen-Moses is offline
Quote:
Originally Posted by PC_Puke
Interesting - and coming from the windows world - I did have a concern about dashboard objects as being an entry point into the OS
Widgets are as safe as any other Javascript/Applescript environment, i.e like for example Safari. The protection is provided by Darwin and unless you do something really stupid like publishing your root password then no real damage can come from them.

If you really feel the need you can always edit you dashboard plist file so that the widgets are loaded from a different location in which only you can install them.

Amen-Moses
QUOTE Thanks
djlee12

 
djlee12's Avatar
 
Member Since: Dec 18, 2004
Posts: 542
djlee12 has a spectacular aura about

djlee12 is offline
Thanks for the heads-up

DJ Lee

Watts Up Productions
www.wattsupproductions.com
QUOTE Thanks
Strider

 
Strider's Avatar
 
Member Since: Apr 09, 2004
Location: Dubai
Posts: 973
Strider is on a distinguished road
Mac Specs: 15" MBP 2.16GHz ^ATI Radeon X1600 256MB ^100GB @ 7200 rpm ^2GB RAM ^Glossy Screen +iPod 4G 20 gigs

Strider is offline
Wow interesting read. Guess our OS X is not that safe now. I wonder how Apple could let something like this slip..
QUOTE Thanks
meltbanana314
Guest
 
Posts: n/a

Quote:
Originally Posted by Strider
Wow interesting read. Guess our OS X is not that safe now. I wonder how Apple could let something like this slip..
Everybody makes mistakes, including Apple.

Even though this problem may be easily exploitable, I don't think we'll see a lot of problems with it because most Mac users aren't 13 year old uber-133t script kiddies who want to make life miserable for everyone by cracking into other people's computers.
QUOTE Thanks

Post Reply New Thread Subscribe


« Cant decide between iMac,iBook, or Powerbook | How to view away message with ichat. »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Dashboard "Ripple" effect? Spaceboy88 OS X - Operating System 26 05-16-2005 02:12 AM
Konfabulator widgets Dookie Switcher Hangout 8 04-08-2005 04:11 PM
Anything like Dashboard??? BigBear Switcher Hangout 8 02-28-2005 11:54 AM
Paranoia and a warning system Nightblade Community Suggestions and Feedback 4 06-21-2004 10:40 AM

All times are GMT -4. The time now is 12:34 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?