The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Developer Demonstrates Dashboard Exploit [UPDATE]

Developer Demonstrates Dashboard Exploit [UPDATE]

by , 10:45 AM EDT, May 9th, 2005

A developer has demonstrated a Dashboard exploit in Mac OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac. Writing under the name of, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default. This feature allows your Mac to automatically open image files, PDFs, movies, disk images, and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

Where this really becomes a problem, however, is what the designer of the Widget does. According to, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote, "using all the nasty tricks developed by the [porn] industry over the last few years - opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, links to (but does not display) a porn image that many will find offensive and/or disturbing.

Update: A safety precaution for those worried about these problems is to turn off "Open safe files" in your Safari general preferences. This will not prevent someone from auto-downloading a Widget to your system, but it will prevent it from being auto-installed.

Recent TMO Headlines - Updated March 18th

Sat, 2:11 AM
IK Multimedia Combines 94 Products into Total Studio 2 Max for Mac/PC
Fri, 6:22 PM
Causes of Mac Decay, Apple Store (aka DMV), Jony Hates Forstall Jazz? - Pop.0 Ep.33
Fri, 6:18 PM
Face ID on the iPhone is Cool. What About When the Police Use it?
Fri, 3:46 PM
Apple Will Be Hosting a Developer Workshop in Paris
Fri, 2:29 PM
iOS: How to Send Links in iMessage Without the Rich Preview
Fri, 2:10 PM
Make Any Headphones Wireless with the Atech Micro Bluetooth Receiver
Fri, 1:57 PM
Apple's 'Field Trip' Media Event, Waiting for the Mac Pro - TMO Daily Observations 2018-03-16
Fri, 1:53 PM
Steve Jobs's 1973 Job Application Sells for $174,757
Fri, 1:12 PM
Apple Releases iOS 11.3 Developer Beta 6 for iPhone, iPad
Fri, 11:59 AM
Here's How to Disable Face ID for Specific Apps
Fri, 10:30 AM
Apple Hosting 'Let's take a field trip' Media Event March 27th
Fri, 10:10 AM
Marvel Gives Us Another Avengers: Infinity War Trailer Before the April 27 Premiere
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!