Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Web Pages Can Install Dashboard Widgets

Posted by timothy on from the not-good dept.

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

7 of 610 comments (clear)

  1. Ouch! by Godboy_g · · Score: 1, Redundant

    That seems liek quite a security flaw... Any timeline on it being patched?

    --
    I LIKE TOAST!!!
  2. WCS by LittleGuernica · · Score: 0, Redundant

    So the worst case scenario is that the icon in de dashboard bar is pornographic? I;m going back to windows instantly, because with windows, I can also immediately dial-up to a porn site, eat that Apple! (no pun intended)

    It's true that it's too easy to install a widget with safari, because it unzips and install automatically, but it can't do anyharm but to your eyes..

    Still, some sort of warning with a preview would be a good idea.

  3. But... by Home�rew · · Score: 0, Redundant

    but you'd also have to have the "open safe items" turned on in safari prefs, and that is kinda dumb.

    --
    Pablo Piccaso was never called an asshole. Not like you.
  4. Re:Thanks Slashdot! by mike5904 · · Score: 0, Redundant

    That's interesting, I just tried it with IE, Firefox, and Opera, and all of them simply displayed the standard dialog asking to download the file. Might be worth noting I'm just running XP SP1 though.

  5. Somewhere in Cupertino... by Paperweight · · Score: 0, Redundant

    D'OH! That about sums it up.

  6. Re:Thank God for Firefox and Windows by TomHandy · · Score: 1, Redundant
    Yeah, it's definitely good nefarious websites can't do anything to you if you're using Firefox...... Oh... wait...

    -Tom

  7. Re:Firefox asks what to do by BasilBrush · · Score: 1, Redundant
    installed != executed.

    Also from TFA:

    "That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard."

    Nothing will be executed unless the user explicitly runs it by dragging the widget from the widget bar to the dashboard.