WARNING: Widgets can hijack your dashboard

T

Thud

Guest
This is not good....

http://www.tuaw.com/2005/05/07/the-problem-with-widgets/


I haven't installed the "demo" widget. But here's the summary:

1) Widgets cannot be removed from the widget bar once they are installed (according to Apple's help files), unless you edit an XML file and reboot.

2) By default, widgets will auto-install automatically through safari, WITHOUT PROMPTING or asking for a password. The article shows how to disable this "feature."

3) Widgets can be made to use an obscene image as its icon, which will then take permanent residence in your widget bar, until you do some XML file editing (see #1)

4) A widget can be programmed to load a particular web page in the browser (which also closes the dashboard). This means that you effectively cannot open the dashboard (because it closes immediately) and thus you can't remove the offending widget from the dashboard, after the widget was installed automatically without your permission!


Well, as both a windows and mac user, I would like to welcome mac users to the wonderful world of spyware, and something that doesn't exist in the windows world -- Dashboard Hijackers.
The question is, will Apple fix this gaping security hole before somebody exploits it?
 
OP
A

Apple

Guest
I always was just able to delete the widget file out of ~/Library/Widgets then reboot my comp to get rid of some.
This is very scary though
 

iWhat

,
Joined
Nov 11, 2004
Messages
5,736
Reaction score
164
Points
63
Location
Toledo, Ohio
Your Mac's Specs
Macbook, iMac G5, iPad, iPhone 4, iPod (MANY)!
I adjusted my prefs, thanks for the heads up.
 
Joined
Feb 18, 2005
Messages
120
Reaction score
0
Points
16
Your Mac's Specs
20" iMac G5 1GB RAM Superdrive; 12" powerbook 512mb RAM G4 Superdrive
Joined
Aug 25, 2004
Messages
760
Reaction score
22
Points
18
Location
New Zealand
Your Mac's Specs
13" MBA. 15" MBP. iPhone 4. 3G Pad 2.
I would have thought that removing them from ~ user library > widgets and trashing them would have been enough. I have already removed a few that didn't work as expected. No sign of the removed ones now. A reboot would make sure.
Looks a bit like FUD.
I've always had the pref. option to open safe files after downloading unticked ~ too long on windows :)
 
Joined
Jun 25, 2004
Messages
1,779
Reaction score
65
Points
48
Location
Luxemburg, Europe
Your Mac's Specs
PowerMac G5 Dual 2GHz (June 2004), 2.5GB, Airport, black 5G iPod 30GB, white MacBook 2.0 2GB
To remove a widget outside of Dashboard, delete it from ~/Library/Widgets (and from your Trash, afterwards) and relaunch the Dock. Dashboard seems to be part of the Dock, and after relaunching it, the deleted Widget is not anymore in the Widget-bar.
To relaunch the Dock, you can use for example TinkerTool, or simply log out and log in again. There's definitely no need to restart the Mac. Just make sure that, when you delete the Widget from ~/Library/Widgets you also empty the trash, or at least delete the Widget from the trash to permanently remove it.

This is, of course, not the way it should be. Apple should have given an option to remove a Widget in a more easy way(as we are used to from them).
And the fact that Safari, by default, opens every downloaded file is not really secure either...reminds me of Internet Explorer...
Since version 2.0, Safari does however give you a warning when a downloaded file is executable...except for Widgets, which, in my opinion, is a serious flaw.

EDIT: Another option to relaunch the Dock is going to the Terminal and typing killall Dock (case sensitive).
 
Joined
Oct 30, 2004
Messages
4,374
Reaction score
55
Points
48
Location
San Antonio, Texas
Your Mac's Specs
PowerMac G4 Cube 450mhz 832mb
thanks for the heads up, I don't have tiger yet, but useful info for when I get it. thanks.
 
Joined
Oct 27, 2002
Messages
13,172
Reaction score
348
Points
83
Location
Cleveland, Ohio
Your Mac's Specs
MacBook Pro | LED Cinema Display | iPhone 4 | iPad 2
OP
J

jessica

Guest
[newbie alert] when you all say "I updated my prefs" can you elaborate on that?
 
Joined
Apr 25, 2003
Messages
1,301
Reaction score
62
Points
48
Location
The home of the free and the land that did for Bra
Your Mac's Specs
24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs
jessica said:
[newbie alert] when you all say "I updated my prefs" can you elaborate on that?

Go Safari->Preferences and 'untick' the 'Open "safe" files after downloading' option.

Amen-Moses
 
OP
E

Ex_PC_Puke

Guest
Interesting - and coming from the windows world - I did have a concern about dashboard objects as being an entry point into the OS --- I wold hope that Apple would ensure that a widget has certain rules as they are either

- Totally passive just displaying info
- Interactive making a request - then displaying results

A widget should only be able to opeaterate in the memory space allowed for widgets and should have some limit on memory foot print

Widgets do need to be contained !!!!

Apple may need to make a widget manager / snooper
- helps you totally exorcise (with predjudice) a widget from the dash board
- Snoops for strange widget behavior
- Bandwidth hogging
- sending / receiving too much crap i.e. bandwidth
 
Joined
Apr 25, 2003
Messages
1,301
Reaction score
62
Points
48
Location
The home of the free and the land that did for Bra
Your Mac's Specs
24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs
PC_Puke said:
Interesting - and coming from the windows world - I did have a concern about dashboard objects as being an entry point into the OS

Widgets are as safe as any other Javascript/Applescript environment, i.e like for example Safari. The protection is provided by Darwin and unless you do something really stupid like publishing your root password then no real damage can come from them.

If you really feel the need you can always edit you dashboard plist file so that the widgets are loaded from a different location in which only you can install them.

Amen-Moses
 
Joined
Apr 9, 2004
Messages
973
Reaction score
4
Points
18
Location
Dubai
Your Mac's Specs
15" MBP 2.16GHz ^ATI Radeon X1600 256MB ^100GB @ 7200 rpm ^2GB RAM ^Glossy Screen +iPod 4G 20 gigs
Wow interesting read. Guess our OS X is not that safe now. I wonder how Apple could let something like this slip..
 
OP
M

meltbanana314

Guest
Strider said:
Wow interesting read. Guess our OS X is not that safe now. I wonder how Apple could let something like this slip..

Everybody makes mistakes, including Apple.

Even though this problem may be easily exploitable, I don't think we'll see a lot of problems with it because most Mac users aren't 13 year old uber-133t script kiddies who want to make life miserable for everyone by cracking into other people's computers.
 
OP
T

Thud

Guest
schweb said:
It's very easy to remove widgets. I think this article is way overblown. BTW, a nice new app is out that gives you a preference pane for managing widgets:

http://www.macupdate.com/info.php/id/17990


Yes it is, but it's not easy enough for Grandma to do without somebody walking her through it. There goes the "it just works" philosophy.


This news got mentioned on www.slashdot.org now, which is very high profile, so you can bet that apple will be paying attention and fixing it (hopefully) in 10.4.1
 
Joined
Jun 11, 2003
Messages
4,915
Reaction score
68
Points
48
Location
Mount Vernon, WA
Your Mac's Specs
MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
Oh yeah, they'll definitely fix it for 10.4.1, i don't see any other way around it.
 
Joined
Apr 25, 2003
Messages
1,301
Reaction score
62
Points
48
Location
The home of the free and the land that did for Bra
Your Mac's Specs
24"iMac, 15"MB-Pro, MacBook, G4 iMac, PM G5 2x2Ghz, G4 iBook & Some PCs
schweb said:
It's very easy to remove widgets. I think this article is way overblown. BTW, a nice new app is out that gives you a preference pane for managing widgets:

http://www.macupdate.com/info.php/id/17990

I'll second that, that's what I like about OS X (and Linux), find an annoying lack of functionality and in about 5 minutes someone somewhere will have a freely downloadable fix for it.

Amen-Moses
 
OP
N

normal1

Guest
It really all comes down to watching what you download. Its the same for PC users only that they are a lot easy to exploit, Download things from trusted sites, make sure you know what you're doing. "Automatic" is a good thing but as we can see it can also be bad.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top