Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Web Pages Can Install Dashboard Widgets

Posted by timothy on from the not-good dept.

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

5 of 610 comments (clear)

  1. Not much of a problem... by InternationalCow · · Score: 5, Informative

    If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.

    --
    ----- One learns to itch where one can scratch.
  2. The solution by Little+Grey · · Score: 5, Informative

    Is to turn off "Open 'Safe' downloads" in Safari's Options.

    It's just common sense anyways

  3. Re:Firefox asks what to do by Bungopolis · · Score: 5, Informative

    This warning applies specifically to Safari. It's obviously not going to affect Firefox, because Firefox does not have the widget auto-installation feature that Safari does. Most users of Tiger, however, are probably using Safari, so this most certainly is dangerous.

  4. Important correction by daveschroeder · · Score: 5, Informative

    Well, it turns out I spoke too soon.

    I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.

    Interesting.

    This is indeed a security issue, and it should be made to at least prompt the user.

    Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.

    The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.

  5. Re:Sky not falling, Safari warns user twice. by mithras+the+prophet · · Score: 5, Informative
    Safari will warn you when downloading a widget with cocoa calls in it by saying "widgetname contains an application. Are you sure you want to continue downloading widgetname?". You have the option to abort download and installation.

    Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.

    Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.

    It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.

    --
    four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty