In response to my earlier post on security in Apple’s new Dashboard Widgets, John Gruber, who writes the Daring Fireball blog, replies:
It’s interesting that you’re not getting the first-run warning, but I don’t think the overall threat is any more serious than with normal Mac software. What’s to stop *any* of the apps listed every day on VersionTracker from doing these things? Trojan horses are easy to write.
Exploits would be tough, because it would imply they could spread from one machine to another, or that you could have a malicious widget injected into your machine without knowing.
So, no, I don’t think widgets are going to pose a security problem. That’s not to say I’m certain, however.
And he’s got a point.
But I do note that with Tiger, Apple has really beefed up the warning about installing executable software files, precisely at the same time as they’re encouraging everyone to download and install lots of widgets.
Zephyr pointed out a Slashdot post about zaptaastic, which actually demonstrates installing a “slightly evil widget” (don’t visit the page with Safari). This demonstrates the autoinstalling of widgets done by Safari. Zap makes the same point I just did above:
“So what?” you may say, “The user gets warned.”. Two words: social engineering. The Macintosh user base is rapidly being conditioned that widgets are harmless little toys, and Apple’s warning is fairly innocuous:
goatse.cx is being run for the first time.
Are you sure you want to run this widget?
That doesn’t look particularly threatening. I haven’t tried any actually destructive things; I would assume that getting root is a lot easier when you’re starting from inside the host box. I wonder how many of the gmail passwords entered by users in flores and coras are the same as the root password?
It would be obscenely easy for me to harvest passwords in those applications, by the way… but I don’t. I could just generate hits on http://stephan.com/watch.html?username:password and then go read my system logs.
127.0.0.1 – - [05/May/2005:02:49:11 -0400] “GET /widgets/flores/index.html?foo:bar HTTP/1.1″ 200 5758
Even without root, though, there are some pretty interesting things you could do. A widget, for example, could use time when it is hidden to add tags to every .html page stored in the users home directory. If the user happens to be running a web server – or even uploading files to one – this could propagate a widget to other machines. I’m not really a security expert, I’m sure others can think of worse things to do.
Apple has significantly lowered the bar for malicious entities to install and execute damaging code in OSX. Honestly, I don’t think this is that big of a deal – causing real damage is likely a bit harder than I make it sound.