Dashboard widgets... a security threat??
This is an interesting article and a proof of concept.
What do you all think?
NOTE: before clicking the link below please go to:
safari > preferences > general> and unclick open "safe" files after downloading
this link will install a widget otherwise.
http://stephan.com/widgets/zaptastic/
What do you all think?
NOTE: before clicking the link below please go to:
safari > preferences > general> and unclick open "safe" files after downloading
this link will install a widget otherwise.
http://stephan.com/widgets/zaptastic/
Comments
Originally posted by TednDi
This is an interesting article and a proof of concept.
What do you all think?
NOTE: before clicking the link below please go to:
safari > preferences > general> and unclick open "safe" files after downloading
this link will install a widget otherwise.
http://stephan.com/widgets/zaptastic/
I agree. This really sucks. What was Apple thinking? Why the hell are Widgets self installing? This is unexcusable. Apple needs to fix this now!
This is the same crap that Windows users have to deal with.
WTH.
(Note I was suggesting that as an alternative to unchecking 'open "safe" files after downloading' all the time).
Update: Now the icon for the widget has gone generic and it is no longer draggable.
It never wrote to the Widget folder, but it did load initially.
Strange...
Ok, so locking the Widgets folder seems to work.
Doing so forces Safari to download the Widget to the downloads folder you have selected and not do anything further to the unzipped Widget. You would then need to explicitly double click it for it to run. And the widget will be only running from the downloads folder and NOT be installed elsewhere.
Technically I don't think they are "self installing" so much as Safari merely has a secondary downloads folder for widgets.
Any Widget that does get installed will always ask you if you want to allow it to run at it's first launching.
Originally posted by johnq
Sorry my above post was in error and the forum was unresponsive so I couldn't edit it earlier.
Ok, so locking the Widgets folder seems to work.
Doing so forces Safari to download the Widget to the downloads folder you have selected and not do anything further to the unzipped Widget. You would then need to explicitly double click it for it to run. And the widget will be only running from the downloads folder and NOT be installed elsewhere.
Technically I don't think they are "self installing" so much as Safari merely has a secondary downloads folder for widgets.
Any Widget that does get installed will always ask you if you want to allow it to run at it's first launching.
The real problem is with general users, who won't know how to remove the Widgets. This has the potential to be real ugly for Apple.
I got the same problem on Window with my friends. I never ever got a virus on my computer because i am an advised user and i watch my back all the time. But i keep on repairing my friend's systems because they aren't carefull enough, and that's what the problem is.
I think it is a really big mistake from Apple and that should be fixed asap.
I got the same problem on Window with my friends. I never ever got a virus on my computer because i am an advised user and i watch my back all the time. But i keep on repairing my friend's systems because they aren't carefull enough, and that's what the problem is.
I think it is a really big mistake from Apple and that should be fixed asap.
Besides, because a widget is only made up of HTML and CSS, there could be no widgets that do a lot of harm. Apple could create a place in the system preferences listing all of the widgets allowing widgest to be installed/uninstalled or diabled/enabled/
Originally posted by icfireball
Besides, because a widget is only made up of HTML and CSS, there could be no widgets that do a lot of harm.
Wrong. A widget can be made out of those webstandards for ease of construction, but a lot of widgets are actually mini applications. For example, the iTunes control widget is an app, while other simpler ones are not.
Safari should have an option somewhere to and install dashboard widgets automatically. And it should be unchecked by default. Even though it is dead simple for me to add a widget to the Dashboard, it is still not DEAD SIMPLE for the average user. There should a preference pane that allows you to easily add dashboard widgets you have downloaded, but not installed. The same goes for removing them also.
Originally posted by Placebo
Wrong. A widget can be made out of those webstandards for ease of construction, but a lot of widgets are actually mini applications. For example, the iTunes control widget is an app, while other simpler ones are not.
Correct they have access to run many scripting language scripts, and can run apple script as well. They could be written to do two things one is getting information for you from the internet, like what is playing at your local theater, and recording what you type and sending that file back to the 'owner'. But I guess this is no different than getting Apple scripts on the internet and running them, we trust that they will do what they say they will do. Or even any of the shareware or freeware software that we download. Although it is possible to track back a program / script / widget to its rightful owner or to the server that hosts it.
Originally posted by MPMoriarty
I've seen widgets that are bash CLI.
Safari should have an option somewhere to and install dashboard widgets automatically. And it should be unchecked by default. Even though it is dead simple for me to add a widget to the Dashboard, it is still not DEAD SIMPLE for the average user. There should a preference pane that allows you to easily add dashboard widgets you have downloaded, but not installed. The same goes for removing them also.
They should use a similar system to the downloading of applications. Are you sure you wish to download this? That would solve the problem - they should also have a preference pane that allows you to delete widgets - I would also like to see a spotlight search for widgets - i have five pages full already.
"(Widget Name) is being run for the first time. Are you sure you want to run this widget? (Decline) (Accept)"
Widgets are not self installing nor are they self starting.
Safari merely considers the Widgets folder to be a secondary Safari downloads folder.
Apple could easily make Safari download movies to ~/Movies and images to ~/Pictures.
The user still needs to either double click the downloaded widget (if they downloaded to some other folder) or to drag it off the Widget shelf inside Dashboard. Those are the two user-controlled methods for starting a widget.
Both methods will put up the above dialog box.
That Widgets might be written to be destructive or malicious: that's true for any download. I don't see any more of a security threat than downloading apps (freeware/shareware/commercial/pirated) from the Internet.
Originally posted by johnq
Widgets already ask:
"(Widget Name) is being run for the first time. Are you sure you want to run this widget? (Decline) (Accept)"
Widgets are not self installing nor are they self starting.
Safari merely considers the Widgets folder to be a secondary Safari downloads folder.
Apple could easily make Safari download movies to ~/Movies and images to ~/Pictures.
The user still needs to either double click the downloaded widget (if they downloaded to some other folder) or to drag it off the Widget shelf inside Dashboard. Those are the two user-controlled methods for starting a widget.
Both methods will put up the above dialog box.
That Widgets might be written to be destructive or malicious: that's true for any download. I don't see any more of a security threat than downloading apps (freeware/shareware/commercial/pirated) from the Internet.
but that site did it automatically without me noticing the first time! I only noticed the second time because it went onto the desktop. If you drag it from the tray it doesn't ask you if you're sure.
Originally posted by icfireball
It's not really a problem at all, Apple just has to release an update that can allow "stupid/average" users to uninstall the widgets easily themselves.
Besides, because a widget is only made up of HTML and CSS, there could be no widgets that do a lot of harm. Apple could create a place in the system preferences listing all of the widgets allowing widgest to be installed/uninstalled or diabled/enabled/
You are the perfect example of the guy who did'nt understand a thing.
First of all, being myself a computer programmer, i can tell that there is a huge law in programming: THE PROGRAMMER have to implement the necessary security for their program suck as input control, and so on. The avera
Originally posted by vespertinian
You are the perfect example of the guy who did'nt understand a thing.
First of all, being myself a computer programmer, i can tell that there is a huge law in programming: THE PROGRAMMER have to implement the necessary security for their program suck as input control, and so on. The avera
^ I hope his programs are typed better.
Originally posted by MacCrazy
but that site did it automatically without me noticing the first time! I only noticed the second time because it went onto the desktop. If you drag it from the tray it doesn't ask you if you're sure.
True. I'm not sure how that happens. Surely the "Are you sure" isn't in the widget code itself, right? If so, yeargh!
I'll have to take a look at that code...