Page 1 of 2 12 LastLast
Results 1 to 15 of 25
  1. #1
    Thud
    Guest
    WARNING: Widgets can hijack your dashboard
    This is not good....

    http://www.tuaw.com/2005/05/07/the-p...-with-widgets/


    I haven't installed the "demo" widget. But here's the summary:

    1) Widgets cannot be removed from the widget bar once they are installed (according to Apple's help files), unless you edit an XML file and reboot.

    2) By default, widgets will auto-install automatically through safari, WITHOUT PROMPTING or asking for a password. The article shows how to disable this "feature."

    3) Widgets can be made to use an obscene image as its icon, which will then take permanent residence in your widget bar, until you do some XML file editing (see #1)

    4) A widget can be programmed to load a particular web page in the browser (which also closes the dashboard). This means that you effectively cannot open the dashboard (because it closes immediately) and thus you can't remove the offending widget from the dashboard, after the widget was installed automatically without your permission!


    Well, as both a windows and mac user, I would like to welcome mac users to the wonderful world of spyware, and something that doesn't exist in the windows world -- Dashboard Hijackers.
    The question is, will Apple fix this gaping security hole before somebody exploits it?

  2. #2
    Apple
    Guest
    I always was just able to delete the widget file out of ~/Library/Widgets then reboot my comp to get rid of some.
    This is very scary though

  3. #3

    iWhat's Avatar
    Member Since
    Nov 11, 2004
    Location
    Toledo, Ohio
    Posts
    5,736
    Specs:
    Macbook, iMac G5, iPad, iPhone 4, iPod (MANY)!
    I adjusted my prefs, thanks for the heads up.

  4. #4

    donnation25's Avatar
    Member Since
    Feb 18, 2005
    Posts
    120
    Specs:
    20" iMac G5 1GB RAM Superdrive; 12" powerbook 512mb RAM G4 Superdrive
    Me Too!!!

  5. #5

    torchy's Avatar
    Member Since
    Aug 25, 2004
    Location
    New Zealand
    Posts
    760
    Specs:
    13" MBA. 15" MBP. iPhone 4. 3G Pad 2.
    I would have thought that removing them from ~ user library > widgets and trashing them would have been enough. I have already removed a few that didn't work as expected. No sign of the removed ones now. A reboot would make sure.
    Looks a bit like FUD.
    I've always had the pref. option to open safe files after downloading unticked ~ too long on windows :-)
    ~ 13" MacBook Air. OSX 10.9 ~ iPad 2 & iPhone ~

  6. #6

    Avalon's Avatar
    Member Since
    Jun 25, 2004
    Location
    Luxemburg, Europe
    Posts
    1,779
    Specs:
    PowerMac G5 Dual 2GHz (June 2004), 2.5GB, Airport, black 5G iPod 30GB, white MacBook 2.0 2GB
    To remove a widget outside of Dashboard, delete it from ~/Library/Widgets (and from your Trash, afterwards) and relaunch the Dock. Dashboard seems to be part of the Dock, and after relaunching it, the deleted Widget is not anymore in the Widget-bar.
    To relaunch the Dock, you can use for example TinkerTool, or simply log out and log in again. There's definitely no need to restart the Mac. Just make sure that, when you delete the Widget from ~/Library/Widgets you also empty the trash, or at least delete the Widget from the trash to permanently remove it.

    This is, of course, not the way it should be. Apple should have given an option to remove a Widget in a more easy way(as we are used to from them).
    And the fact that Safari, by default, opens every downloaded file is not really secure either...reminds me of Internet Explorer...
    Since version 2.0, Safari does however give you a warning when a downloaded file is executable...except for Widgets, which, in my opinion, is a serious flaw.

    EDIT: Another option to relaunch the Dock is going to the Terminal and typing killall Dock (case sensitive).

  7. #7

    Macman's Avatar
    Member Since
    Oct 30, 2004
    Location
    San Antonio, Texas
    Posts
    4,374
    Specs:
    PowerMac G4 Cube 450mhz 832mb
    thanks for the heads up, I don't have tiger yet, but useful info for when I get it. thanks.

  8. #8

    schweb's Avatar
    Member Since
    Oct 27, 2002
    Location
    Cleveland, Ohio
    Posts
    13,190
    Specs:
    MacBook Pro | LED Cinema Display | iPhone 4 | iPad 2
    It's very easy to remove widgets. I think this article is way overblown. BTW, a nice new app is out that gives you a preference pane for managing widgets:

    http://www.macupdate.com/info.php/id/17990
    schweb | community leader
    flickr facebook twitter tumblr google+ about.me

    Mac-Forums: On Twitter | On Facebook | On Flickr


  9. #9
    jessica
    Guest
    [newbie alert] when you all say "I updated my prefs" can you elaborate on that?

  10. #10


    Member Since
    Apr 25, 2003
    Location
    The home of the free and the land that did for Braveheart.
    Posts
    1,301
    Specs:
    24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs
    Quote Originally Posted by jessica
    [newbie alert] when you all say "I updated my prefs" can you elaborate on that?
    Go Safari->Preferences and 'untick' the 'Open "safe" files after downloading' option.

    Amen-Moses

  11. #11
    Ex_PC_Puke
    Guest
    Interesting - and coming from the windows world - I did have a concern about dashboard objects as being an entry point into the OS --- I wold hope that Apple would ensure that a widget has certain rules as they are either

    - Totally passive just displaying info
    - Interactive making a request - then displaying results

    A widget should only be able to opeaterate in the memory space allowed for widgets and should have some limit on memory foot print

    Widgets do need to be contained !!!!

    Apple may need to make a widget manager / snooper
    - helps you totally exorcise (with predjudice) a widget from the dash board
    - Snoops for strange widget behavior
    - Bandwidth hogging
    - sending / receiving too much crap i.e. bandwidth

  12. #12


    Member Since
    Apr 25, 2003
    Location
    The home of the free and the land that did for Braveheart.
    Posts
    1,301
    Specs:
    24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs
    Quote Originally Posted by PC_Puke
    Interesting - and coming from the windows world - I did have a concern about dashboard objects as being an entry point into the OS
    Widgets are as safe as any other Javascript/Applescript environment, i.e like for example Safari. The protection is provided by Darwin and unless you do something really stupid like publishing your root password then no real damage can come from them.

    If you really feel the need you can always edit you dashboard plist file so that the widgets are loaded from a different location in which only you can install them.

    Amen-Moses

  13. #13
    Thanks for the heads-up
    DJ Lee

    Watts Up Productions
    www.wattsupproductions.com

  14. #14

    Strider's Avatar
    Member Since
    Apr 09, 2004
    Location
    Dubai
    Posts
    973
    Specs:
    15" MBP 2.16GHz ^ATI Radeon X1600 256MB ^100GB @ 7200 rpm ^2GB RAM ^Glossy Screen +iPod 4G 20 gigs
    Wow interesting read. Guess our OS X is not that safe now. I wonder how Apple could let something like this slip..

  15. #15
    meltbanana314
    Guest
    Quote Originally Posted by Strider
    Wow interesting read. Guess our OS X is not that safe now. I wonder how Apple could let something like this slip..
    Everybody makes mistakes, including Apple.

    Even though this problem may be easily exploitable, I don't think we'll see a lot of problems with it because most Mac users aren't 13 year old uber-133t script kiddies who want to make life miserable for everyone by cracking into other people's computers.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Creating your own dashboard widgets
    By bat in forum OS X - Operating System
    Replies: 1
    Last Post: 06-24-2011, 10:15 AM
  2. Adding widgets to the Dashboard
    By silvermac4108 in forum Apple Desktops
    Replies: 5
    Last Post: 01-25-2009, 06:11 PM
  3. Killer Dashboard widgets...
    By svnipp in forum Switcher Hangout
    Replies: 6
    Last Post: 02-22-2008, 11:24 PM
  4. Favorite Dashboard Widgets
    By WasabiTaylor in forum OS X - Operating System
    Replies: 2
    Last Post: 07-05-2005, 01:25 PM
  5. Dashboard widgets
    By Hanyoung in forum OS X - Operating System
    Replies: 3
    Last Post: 05-17-2005, 08:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •