Apple's Dashboard Hacked

Top Tech News ^ | May 9, 2005

[Stoat]

Apple's Dashboard Hacked

May 9, 2005 1:50PM

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."
 

A developer has demonstrated a Dashboard exploit in Mac

OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac.

Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default.

This feature allows your Mac to automatically open image files, PDFs, movies, disk images and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

 

Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years -- opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing.

[HAL9000]

Yes, some widgets were copied into my home library widgets folder.

[Swordmaker]

As I Freepmailed bw, I just found the problem with seeing the Widgets... I was seeking "widgets" plural, when I should have been seeking "widget" singular. Early onset of OldTimer's Disease!

On the question of the user Widget folder... mine has yet to create one in any of the sub users' directories on my computer. I logged onto another user ID and downloaded a widget... THEN it created a Widget folder in the User's library. I tried it in a user with administration privileges... and the widget went into the system's Library and did not create a user's Library. Strange. I can't find a setting that controls this behavior.

I also found that it can take some time between the installation of a widget in the Library/Widgets folder and its appearance in the Widgets dock in Dashboard... One widget I downloaded and installed took over 25 minutes before it appeared in the Widget Dock! I am beginnig to think that there is some flakiness with the widget handlers. One of the test widgets from the Zaptastic website took about 5 minutes to disappear from the Widget Dock after I had dragged it to the Trashcan and emptied the Trash. Even quitting and restarting the Dashboard didn't seem to force a change. Its icon even survived a system restart after deletion but it would not run or install on the Dashboard.

In addition, Spotlight doesn't always go away as quickly as it should... and this is a problem because if you have the spotlight show-all window open and click on another app, the Spotlight showp-all window is unfocused in favor of the window you clicked on but the Spotlight summary or search window is still active and pre-empting Finder. To get rid of it, you have to click in the search field and THEN click elsewhere.

I think Spotlight needs some interface tweaking. Are you guys experiencing this or is it just my G5?

[Swordmaker]

I just downloaded a widget in a subuser's account. The ~/Library/Widgets folder was created and the new widget was installed there. I then returned to my Admin account and the new widget was not available. So individual users can have unique widgets on their account as well as access to those the administrator accounts download.

Incidentally, the widget appeared in the user's widget dock immediately. No delay at all. hmmmmm. I have to try again today and see if there is any delay in a widget downloaded to the Admin account... or was that some artifact of yesterday?

[HAL9000]

The widgets may have gotten installed in my home directory by downloading and launching them from the Desktop.

I just looked at the Dashboard API in XCode, and it seems relatively simple to develop a widget. Perhaps someone will develop a FreeRepublic Dashboard widget to show latest posts, show pings, start a new thread, etc.

[HAL9000]

Have you tried FreeRepublic's RSS feed on Safari? -

http://www.freerepublic.com/focus/f-news/browse.rss

[Swordmaker]

The Widget handler has not problem with having a widget in both the System Library and the User's library... that's good. BUT a couple of widgets from the system library in the user's doc have incomplete icons. The Brittanica icon is complete in my account but is merely a blue square in the users account. It works both places but something is broke.

Interesting.

As to the RSS feed from FreeRepublic... Not yet but I will. Thanks for reminding me.

[Swordmaker]

I found a strange... and a possible explanation. I was trying to find out why the Safari in my account was acting differently in handling the widgets than the Safari's were in sub-users' accounts. I think I found it. A couple of years ago I tried out Speed Downloader... but didn't like it. I uninstalled it and forgot about it.

Searching for differences in the Safari's I found that MINE still had a plug-in for Speed Downloader and that somehow interfered with the proper downloading on my account. This apparently has only impacted the Widget installation... after I located this plug-in in my user (~/Library/Internet Plug-ins) Library and removed it, the download created a ~/Library/Widgets folder and placed a downloaded widget into it! With the plug-in, it placed it in the System widget folder. STRANGE.

[noblejones]

>>
Well, I guess OS 10.4.1 is coming very soon. LOL
<<

I hope so. Tiger blows.

[MrLee]

I installed a little freeware program, "Widget Manager". Soles any potential problems.

[avg_freeper]

Tiger blows.

Is it really that bad? I'm still at 10.2. (I forget which cat that was) I was thinking of finally upgrading the OS on my G4 along with installing a Radeon 9K card and more memory.

What's your beef with Tiger? Would it be better to hold off?

[noblejones]

>>
What's your beef with Tiger? Would it be better to hold off?
<<

It's messed up all of my apps. I think this is an exteme case, but I am certainly not pleased. If I were you, I'd wait 'til the 10.4.1 update is ready.

[PayNoAttentionManBehindCurtain]

Tiger is not installed on the machine I bought, but they gave me a copy to download.

Does the mini have any software on it that would compare to Microsoft Office?

I really know nothing about macs and am lost. The help section leaves a little to be desired. Is there a mac's for dummy's anywhere? :)

BigMack

[HAL9000]

Does the mini have any software on it that would compare to Microsoft Office?

I believe the mini includes an application called AppleWorks. It is relatively old, but it works okay and includes word processing, a spreadsheet, graphic design and database processing.

Apple has a new program for $79 called iWork which includes a word processor and a presentation design program.