The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Developer Demonstrates Dashboard Exploit [UPDATE]

Developer Demonstrates Dashboard Exploit [UPDATE]

by , 10:45 AM EDT, May 9th, 2005

A developer has demonstrated a Dashboard exploit in Mac OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac. Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default. This feature allows your Mac to automatically open image files, PDFs, movies, disk images, and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years - opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing.

Update: A safety precaution for those worried about these problems is to turn off "Open safe files" in your Safari general preferences. This will not prevent someone from auto-downloading a Widget to your system, but it will prevent it from being auto-installed.

Recent TMO Headlines - Updated November 17th

Fri, 5:54 PM
The Kilogram Could Soon be Redefined. But You Won't Notice
Fri, 5:34 PM
Apple Is A Healthy Company. But, Someday, it Could Fail
Fri, 3:04 PM
Mark Zuckerberg Tries to Tackle Growing Criticisms
Fri, 2:57 PM
Feedly Offering 30% off Pro Plan
Fri, 2:54 PM
Behaviourism - the Science That Makes Apps so Addictive
Fri, 2:51 PM
Apple Toxic Chemical Reduction Efforts Rated A+
Fri, 2:47 PM
US iPhones and Other Smartphones Can Now Receive EU Satellite Data
Fri, 2:43 PM
iPhone XR Available Carrier-Free
Fri, 2:40 PM
Make Any Headphones Wireless with this Bluetooth Receiver: $19.99
Fri, 1:58 PM
– TMO Daily Observations 2018-11-16
Fri, 11:02 AM
Spreaker Studio Adds Siri Shortcuts to App
Fri, 10:56 AM
Colluding Banks Allegedly Slowed Apple Pay Switzerland
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!