WidgetJacking: Zaptastic Shows Us the Big Hole in Tiger’s Dashboard


That gaping hole in Tiger’s Dashboard is no air vent – it’s a wide-open, highly exploitable security threat for users of Apple’s newest version of OS X for Mac. And we have Stephan.com’s Zaptastic and Goatse widgets to thank for showing us the big hole.

For those of you who have not yet ‘upgraded’ to Tiger, and more importantly, for those of you who have, one of Tiger’s key features is Dashboard, which allows you to run “widgets”, which are little apps which do all kinds of cool things, and which hang out invisibly until you bring them to the fore.

Interestingly, this is almost identical to the awesome program Konfabulator, whose creator Arlo Rose first brought widgets to the Mac community long before, oh, Apple “borrowed” the idea, along with the cute name “widgets”. Aunty herself is a very satisfied Konfabulator user, and has several Konfabulator widgets running on her desktop at any given time, some of which she simply wouldn’t do without (such as the weather widget, an iTunes remote control widget, and the Google pagerank widget).

One big difference between Mr. Rose’s widgets and Mr. Jobs’ widgets is that Mr. Rose’s widgets actually helpfully stay visible without your having to call them up like some demon (or is that daemon?) from the netherlayers.

Another, and perhaps now more important difference is that Mr. Jobs’ widgets auto-install by default, as soon as they are downloaded, and there is no obvious way – and no directions whatsoever – for a user to remove the Jobsian widgets once they have been downloaded (and auto-installed).

This is bad enough if the user does an “oopsie” and simply clicks on the wrong widget to download, or just doesn’t like the new widget and wants to get rid of it.

 

But it’s far worse if the user does an “OOPSIE!”, and downloads a malicious widget, which hijacks (or, to use a term which Aunty has coined just for the occasion, “widgetjacks”) the user’s browser, or who knows what else.

Read Internet Patrol Articles Right in Your Inbox as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Or get notified of new Internet Patrol articles for free!

To demonstrate just this point, a programmer calling himself “Stephan” (because, hey, it’s his name), and who developed a pretty cool sounding widget-for-Dashboard called “flores”, which graphically shows you how much email you have backed up in your gmail account by adding flowers to a widget vase, developed two much less cool widgets called “Zaptastic” and “Goatse”. Zaptastic, says Stephan, is a “slightly evil” widget which counts down the days until GreenZap, a purported competitor to PayPal, launches. Up until the launch date, it will take you to the GreenZap site whenever you click on it. But after that date, it will take you to the site every time you refresh your web browser. Imagine that the site isn’t GreenZap but some rogue porn site, and you start to get the idea how others might exploit being able to force a widget on you.

But Stephan explains that there is an easy way – only one line of code in fact – to make this type of widget substantially more evil out of the box: “With one more line of code, the more evil version that I promised earlier takes you to GreenZap every time the widget is shown. This means that once you install zaptastic_evil, every time you launch Dashboard, your web browser goes to the GreenZap site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget.
You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer.”

Now, you, dear reader, are smart and savvy and computer literate, and would figure out to go and find the file and delete it. But you, dear reader, are not an average user, and the average user would have no idea what to do. So, of course, they would do what we have trained them to do – look at the help file. In this case, the help file for the Jobs version of widgets, and their Dashboard, says:

“You cannot remove widgets from the Widget Bar or change their order.”

OOPSIE!!!

So you can download any time you like, but you can never leave.

Mr. Rose’s widgets are infinitely more friendly.

So, dear reader, be warned, and before you download any widgets to run under Dashboard, be very sure of what you’re getting.

Oh, and Stephan’s other “slightly evil” widget, Goatse, while perhaps only slightly more evil, is considerabily more graphically shocking, imposing on your desktop, as it does, the infamous “hello” picture from the equally infamous goatse.cx site.

[Updated 5/11/05 thanks to input from Aunty’s good friend, and author of Spam Wars, Danny Goodman.]

Get notified of new Internet Patrol articles!

3 Replies to “WidgetJacking: Zaptastic Shows Us the Big Hole in Tiger’s Dashboard”

  1. I don’t worry about getting infected because I never use Dashboard – useless feature, IMHO, and I’d love to know how to disable or just remove it completely.
    Too bad the pref pane doesn’t have an “off” switch… >_<

  2. It’s been well discussed on Slashdot already that the only thing that is needed is to uncheck the “Open ‘safe’ files after downloading” box in Safari Preferences. Or use Firefox to download the widgets. In any case, since the widgets only really run in Dashboard (and don’t have access to things like root or anything else) this is nowhere near deserving the kind of attention that a MS exploit gets. It’s just a reminder to watch what you download, just common sense.

  3. That’s funny, I seem to remember Apple coming up with the idea of widgets in 1984. Of course, they were called “Desk Accessories” then. Mayhaps a tad more research is in order.

Leave a Reply

Your email address will not be published. Required fields are marked *