The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Developer Demonstrates Dashboard Exploit [UPDATE]

Developer Demonstrates Dashboard Exploit [UPDATE]

by , 10:45 AM EDT, May 9th, 2005

A developer has demonstrated a Dashboard exploit in Mac OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac. Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default. This feature allows your Mac to automatically open image files, PDFs, movies, disk images, and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years - opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing.

Update: A safety precaution for those worried about these problems is to turn off "Open safe files" in your Safari general preferences. This will not prevent someone from auto-downloading a Widget to your system, but it will prevent it from being auto-installed.

Recent TMO Headlines - Updated April 3rd

Fri, 3:14 PM
Senators Question Tim Cook About Apple’s COVID-19 App
Fri, 3:09 PM
Babbel Language Learning Lifetime Subscription (All Languages): $159
Fri, 1:49 PM
iPad at Ten Years On – TMO Daily Observations 2020-04-03
Fri, 1:24 PM
US Apple Store Closures to Remain Until Early May
Fri, 1:11 PM
Deezer Data Reveals Need For Mood Music and Meditation
Fri, 1:09 PM
Facebook Tried to Buy a Hacking Tool to Spy on iPhone Users
Fri, 1:04 PM
How to Use iCloud Folder Sharing Across iOS and macOS
Fri, 10:59 AM
iPhone 8 Still Works After Two Months in The River Thames
Fri, 9:48 AM
Apple Pays Hacker Who Found Seven Zero-Days $75,000
Fri, 9:40 AM
[UPDATE] Apple, Leonardo DiCaprio, and Laurene Powell Jobs Launch 'America's Food Fund'
Fri, 9:39 AM
iPad Pro Adds Mac-Like Microphone Disconnect Feature
Fri, 9:22 AM
Ne-Yo Joins Apple TV+'s Helpsters in Catchy New Song
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Daily Observations
  • TMO on Twitter!