Security in Mac Dashboard Widgets?

Advertisements

Apple’s new Dashboard in the Tiger version of OS X allows you to place lots of handy little applications, called widgets, on a translucent layer over your main desktop, making it easy to call up the weather forecast, current time, measurement conversion utilities, etc.

It’s a very nice addition to the OS, and I foresee lots of use of it.

Widgets are built using simple html, javascript, and stylesheets – all pretty easy and widely known technologies.

I was wondering what the security model for Dashboard widgets is. In Apple’s Dashboard Programming Guide says, in its Security section:

sing certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.

Dashboard allows you to “declare your intentions” when you:

09-28-08.MP3 13775-KmailNotify-0.1.theme.bz2 20080923-earthDEV.sql 27503-iKmailNotify16.tar.gz 28165-cm81.skz 32434-justmail.tar.gz 47469-glassartamarok2.tar.gz 78061-plasma-applet-quicklauncher-0.4.tar.gz 78494-prettytasks-0.0.0.3.tar.gz 80.248.217.41.sql.zip 84618-qalculate_applet-0.3.tar.gz Abel Herrero.zip addcommentmacro(2).zip addcommentmacro.zip adobeair_linux_b1_091508.bin adsense-manager.zip ajaxContact.zip ajax_jquery_form.zip ajax-validation.php alps_problem.png arrow1.6.jpg ati-driver-installer-8-8-x86.x86_64.run autoboss_v2_pc_m7shsh_com.rar automattic_latex_fix.diff avatar.jpeg bbctransmission(2).diff bbctransmission.diff boundaries.png Brief for Copy of Specialoffers – Paperdeals.co.uk.ppt btn_donateCC_LG.gif carp_le_4.zip casey-anthony.png cenew(2).sql cenew(3).sql cenew.sql cenew.sql.zip Change to SpecialOffers.org.uk – 18th Sept 2008.ppt chrisfer_peakstocksdev.sql chrisfer_wrdp1.sql col_cats.tgz Contractor Agreement.zip dbKalendar.skz delic_news_source.zip domains thorsten.ods earth.1.png earth_new.png Earth.org Tech Architecture.pdf earth.png earth_user.png edu-best-moments-03-07.iso emailnotify_v0.3.1.tar embed_code.diff error_log export_recent_to_flickr.phps Fax_5804327e9_071618086384_20081021_1053.pdf Fax_5804327e9_071618086384_20081021105525.pdf FirePHPLibrary-FirePHPCore-0.1.2.tar.gz footer_blank.png fseidels-btsco-05a.tar.bz2 game.html game_manager_db.png get-custom.zip Harvest.wdgt.zip index(2).php index.php JanBorsodi.zip jquery-1.2.6.min.js KARTA.jpg kathynida.com.wordpress.2008-10-03.xml kde3to4-0.0.4.tar.gz keys live-search-popup.1.4.7.zip logo.png logo-small.png lwp-15.0.skz MailWidget209.zip multipage.zip munin.conf onenews.zip oren_converted.txt oren_sreebnys_weblog_keywords_konverted1.txt oren_sreebnys_weblog_keywords_konverted.txt oren_sreebnys_weblog.txt pages.rar Paper-Deals-colour-header.jpg paper-deals-content.jpg Paper-Deals.jpg PaperDeals-Logo.jpg Paper-Deals-white-header.jpg pd_banner.jpg pd_content_banner.jpg peerreviewplugin.zip php_mailing.pdf php.zip pmh2421a_080824 pmh2421a_080824.txt Products.CacheSetup-1.2.tar.gz prologue_internal.tar.gz promotionalcodes.rar promotio_promotionalcodes(2).sql promotio_promotionalcodes.sql publickey r3r_lydd(2).zip r3r_lydd.zip r3r.rar R3R.rar r3rwordpress.sql Rogon — Videoportal — Table Template — 080915 1725 — SR.rar sampleetdom.zip sample PDF for Thorsten.pdf Sample PDF( Page 58).pdf sandbox_comments.diff Sandbox.zip sandpress.zip screenie.jpeg screen.png screenshot35.png search_with_embedded_video.png site-lisp.zip snapshot1.png specialoffers(2).sql special_offers_button_anim2.rar specialoffers.org.uk_2008.10.07_04.42 special_offers.rar specialoffers.sql SQL – Joe Celko’s Trees And Hierarchies in SQL for Smarties.pdf tmp.txt To Do 2.1.zip transmission_cache.diff twit3.gif twit5.gif types.rar validation.warnings.fixes.8841.patch widgetbox.diff WIP.jpg wordpress.2008-09-19.xml wordpress.2008-09-25.xml wordpress.2008-09-28.xml wordpress.2008-09-29.xml wordpress.2008-09-30(2).xml wordpress.2008-09-30(3).xml wordpress.2008-09-30.xml wordpress.2008-10-01(2).xml wordpress.2008-10-01(3).xml wordpress.2008-10-01.xml wordpress.2008-10-02.xml wordpress.2008-10-06.xml wordpress.2008-10-11.xml wordpress.2008-10-16.xml wordpress.2008-10-16.zip wordpress.2008-10-19.xml wordpress.2008-10-21.xml wordpress.2008-10-23.xml wordpress-2.6.2(2).tar.gz wordpress-2.6.2.tar.gz wordpress-mu-2.6.1.tar.gz wordpress-stats.sql wordpress-test(2).sql wordpress-test.sql wordpress_wxr.xml wp-1.xml wp-2.xml wp-3.xml wp-4.xml wp-5.xml wp-6.xml wp-7.xml wp-8.xml wp-content wp-includes_update.patch wp-maclean.tgz wp-tag-a-e.xml wp-tag-f-i.xml wp-tag-j-m.xml wp-tag-m-q.xml wp-tag-r-t.xml wp-tag-u-z.xml wp-wbx-widget.php xmlrpc-2.2.1.tar.gz Access files outside of your widget bundle
09-28-08.MP3 13775-KmailNotify-0.1.theme.bz2 20080923-earthDEV.sql 27503-iKmailNotify16.tar.gz 28165-cm81.skz 32434-justmail.tar.gz 47469-glassartamarok2.tar.gz 78061-plasma-applet-quicklauncher-0.4.tar.gz 78494-prettytasks-0.0.0.3.tar.gz 80.248.217.41.sql.zip 84618-qalculate_applet-0.3.tar.gz Abel Herrero.zip addcommentmacro(2).zip addcommentmacro.zip adobeair_linux_b1_091508.bin adsense-manager.zip ajaxContact.zip ajax_jquery_form.zip ajax-validation.php alps_problem.png arrow1.6.jpg ati-driver-installer-8-8-x86.x86_64.run autoboss_v2_pc_m7shsh_com.rar automattic_latex_fix.diff avatar.jpeg bbctransmission(2).diff bbctransmission.diff boundaries.png Brief for Copy of Specialoffers – Paperdeals.co.uk.ppt btn_donateCC_LG.gif carp_le_4.zip casey-anthony.png cenew(2).sql cenew(3).sql cenew.sql cenew.sql.zip Change to SpecialOffers.org.uk – 18th Sept 2008.ppt chrisfer_peakstocksdev.sql chrisfer_wrdp1.sql col_cats.tgz Contractor Agreement.zip dbKalendar.skz delic_news_source.zip domains thorsten.ods earth.1.png earth_new.png Earth.org Tech Architecture.pdf earth.png earth_user.png edu-best-moments-03-07.iso emailnotify_v0.3.1.tar embed_code.diff error_log export_recent_to_flickr.phps Fax_5804327e9_071618086384_20081021_1053.pdf Fax_5804327e9_071618086384_20081021105525.pdf FirePHPLibrary-FirePHPCore-0.1.2.tar.gz footer_blank.png fseidels-btsco-05a.tar.bz2 game.html game_manager_db.png get-custom.zip Harvest.wdgt.zip index(2).php index.php JanBorsodi.zip jquery-1.2.6.min.js KARTA.jpg kathynida.com.wordpress.2008-10-03.xml kde3to4-0.0.4.tar.gz keys live-search-popup.1.4.7.zip logo.png logo-small.png lwp-15.0.skz MailWidget209.zip multipage.zip munin.conf onenews.zip oren_converted.txt oren_sreebnys_weblog_keywords_konverted1.txt oren_sreebnys_weblog_keywords_konverted.txt oren_sreebnys_weblog.txt pages.rar Paper-Deals-colour-header.jpg paper-deals-content.jpg Paper-Deals.jpg PaperDeals-Logo.jpg Paper-Deals-white-header.jpg pd_banner.jpg pd_content_banner.jpg peerreviewplugin.zip php_mailing.pdf php.zip pmh2421a_080824 pmh2421a_080824.txt Products.CacheSetup-1.2.tar.gz prologue_internal.tar.gz promotionalcodes.rar promotio_promotionalcodes(2).sql promotio_promotionalcodes.sql publickey r3r_lydd(2).zip r3r_lydd.zip r3r.rar R3R.rar r3rwordpress.sql Rogon — Videoportal — Table Template — 080915 1725 — SR.rar sampleetdom.zip sample PDF for Thorsten.pdf Sample PDF( Page 58).pdf sandbox_comments.diff Sandbox.zip sandpress.zip screenie.jpeg screen.png screenshot35.png search_with_embedded_video.png site-lisp.zip snapshot1.png specialoffers(2).sql special_offers_button_anim2.rar specialoffers.org.uk_2008.10.07_04.42 special_offers.rar specialoffers.sql SQL – Joe Celko’s Trees And Hierarchies in SQL for Smarties.pdf tmp.txt To Do 2.1.zip transmission_cache.diff twit3.gif twit5.gif types.rar validation.warnings.fixes.8841.patch widgetbox.diff WIP.jpg wordpress.2008-09-19.xml wordpress.2008-09-25.xml wordpress.2008-09-28.xml wordpress.2008-09-29.xml wordpress.2008-09-30(2).xml wordpress.2008-09-30(3).xml wordpress.2008-09-30.xml wordpress.2008-10-01(2).xml wordpress.2008-10-01(3).xml wordpress.2008-10-01.xml wordpress.2008-10-02.xml wordpress.2008-10-06.xml wordpress.2008-10-11.xml wordpress.2008-10-16.xml wordpress.2008-10-16.zip wordpress.2008-10-19.xml wordpress.2008-10-21.xml wordpress.2008-10-23.xml wordpress-2.6.2(2).tar.gz wordpress-2.6.2.tar.gz wordpress-mu-2.6.1.tar.gz wordpress-stats.sql wordpress-test(2).sql wordpress-test.sql wordpress_wxr.xml wp-1.xml wp-2.xml wp-3.xml wp-4.xml wp-5.xml wp-6.xml wp-7.xml wp-8.xml wp-content wp-includes_update.patch wp-maclean.tgz wp-tag-a-e.xml wp-tag-f-i.xml wp-tag-j-m.xml wp-tag-m-q.xml wp-tag-r-t.xml wp-tag-u-z.xml wp-wbx-widget.php xmlrpc-2.2.1.tar.gz Use a Web Kit or standard browser plug-in
09-28-08.MP3 13775-KmailNotify-0.1.theme.bz2 20080923-earthDEV.sql 27503-iKmailNotify16.tar.gz 28165-cm81.skz 32434-justmail.tar.gz 47469-glassartamarok2.tar.gz 78061-plasma-applet-quicklauncher-0.4.tar.gz 78494-prettytasks-0.0.0.3.tar.gz 80.248.217.41.sql.zip 84618-qalculate_applet-0.3.tar.gz Abel Herrero.zip addcommentmacro(2).zip addcommentmacro.zip adobeair_linux_b1_091508.bin adsense-manager.zip ajaxContact.zip ajax_jquery_form.zip ajax-validation.php alps_problem.png arrow1.6.jpg ati-driver-installer-8-8-x86.x86_64.run autoboss_v2_pc_m7shsh_com.rar automattic_latex_fix.diff avatar.jpeg bbctransmission(2).diff bbctransmission.diff boundaries.png Brief for Copy of Specialoffers – Paperdeals.co.uk.ppt btn_donateCC_LG.gif carp_le_4.zip casey-anthony.png cenew(2).sql cenew(3).sql cenew.sql cenew.sql.zip Change to SpecialOffers.org.uk – 18th Sept 2008.ppt chrisfer_peakstocksdev.sql chrisfer_wrdp1.sql col_cats.tgz Contractor Agreement.zip dbKalendar.skz delic_news_source.zip domains thorsten.ods earth.1.png earth_new.png Earth.org Tech Architecture.pdf earth.png earth_user.png edu-best-moments-03-07.iso emailnotify_v0.3.1.tar embed_code.diff error_log export_recent_to_flickr.phps Fax_5804327e9_071618086384_20081021_1053.pdf Fax_5804327e9_071618086384_20081021105525.pdf FirePHPLibrary-FirePHPCore-0.1.2.tar.gz footer_blank.png fseidels-btsco-05a.tar.bz2 game.html game_manager_db.png get-custom.zip Harvest.wdgt.zip index(2).php index.php JanBorsodi.zip jquery-1.2.6.min.js KARTA.jpg kathynida.com.wordpress.2008-10-03.xml kde3to4-0.0.4.tar.gz keys live-search-popup.1.4.7.zip logo.png logo-small.png lwp-15.0.skz MailWidget209.zip multipage.zip munin.conf onenews.zip oren_converted.txt oren_sreebnys_weblog_keywords_konverted1.txt oren_sreebnys_weblog_keywords_konverted.txt oren_sreebnys_weblog.txt pages.rar Paper-Deals-colour-header.jpg paper-deals-content.jpg Paper-Deals.jpg PaperDeals-Logo.jpg Paper-Deals-white-header.jpg pd_banner.jpg pd_content_banner.jpg peerreviewplugin.zip php_mailing.pdf php.zip pmh2421a_080824 pmh2421a_080824.txt Products.CacheSetup-1.2.tar.gz prologue_internal.tar.gz promotionalcodes.rar promotio_promotionalcodes(2).sql promotio_promotionalcodes.sql publickey r3r_lydd(2).zip r3r_lydd.zip r3r.rar R3R.rar r3rwordpress.sql Rogon — Videoportal — Table Template — 080915 1725 — SR.rar sampleetdom.zip sample PDF for Thorsten.pdf Sample PDF( Page 58).pdf sandbox_comments.diff Sandbox.zip sandpress.zip screenie.jpeg screen.png screenshot35.png search_with_embedded_video.png site-lisp.zip snapshot1.png specialoffers(2).sql special_offers_button_anim2.rar specialoffers.org.uk_2008.10.07_04.42 special_offers.rar specialoffers.sql SQL – Joe Celko’s Trees And Hierarchies in SQL for Smarties.pdf tmp.txt To Do 2.1.zip transmission_cache.diff twit3.gif twit5.gif types.rar validation.warnings.fixes.8841.patch widgetbox.diff WIP.jpg wordpress.2008-09-19.xml wordpress.2008-09-25.xml wordpress.2008-09-28.xml wordpress.2008-09-29.xml wordpress.2008-09-30(2).xml wordpress.2008-09-30(3).xml wordpress.2008-09-30.xml wordpress.2008-10-01(2).xml wordpress.2008-10-01(3).xml wordpress.2008-10-01.xml wordpress.2008-10-02.xml wordpress.2008-10-06.xml wordpress.2008-10-11.xml wordpress.2008-10-16.xml wordpress.2008-10-16.zip wordpress.2008-10-19.xml wordpress.2008-10-21.xml wordpress.2008-10-23.xml wordpress-2.6.2(2).tar.gz wordpress-2.6.2.tar.gz wordpress-mu-2.6.1.tar.gz wordpress-stats.sql wordpress-test(2).sql wordpress-test.sql wordpress_wxr.xml wp-1.xml wp-2.xml wp-3.xml wp-4.xml wp-5.xml wp-6.xml wp-7.xml wp-8.xml wp-content wp-includes_update.patch wp-maclean.tgz wp-tag-a-e.xml wp-tag-f-i.xml wp-tag-j-m.xml wp-tag-m-q.xml wp-tag-r-t.xml wp-tag-u-z.xml wp-wbx-widget.php xmlrpc-2.2.1.tar.gz Access network resources
09-28-08.MP3 13775-KmailNotify-0.1.theme.bz2 20080923-earthDEV.sql 27503-iKmailNotify16.tar.gz 28165-cm81.skz 32434-justmail.tar.gz 47469-glassartamarok2.tar.gz 78061-plasma-applet-quicklauncher-0.4.tar.gz 78494-prettytasks-0.0.0.3.tar.gz 80.248.217.41.sql.zip 84618-qalculate_applet-0.3.tar.gz Abel Herrero.zip addcommentmacro(2).zip addcommentmacro.zip adobeair_linux_b1_091508.bin adsense-manager.zip ajaxContact.zip ajax_jquery_form.zip ajax-validation.php alps_problem.png arrow1.6.jpg ati-driver-installer-8-8-x86.x86_64.run autoboss_v2_pc_m7shsh_com.rar automattic_latex_fix.diff avatar.jpeg bbctransmission(2).diff bbctransmission.diff boundaries.png Brief for Copy of Specialoffers – Paperdeals.co.uk.ppt btn_donateCC_LG.gif carp_le_4.zip casey-anthony.png cenew(2).sql cenew(3).sql cenew.sql cenew.sql.zip Change to SpecialOffers.org.uk – 18th Sept 2008.ppt chrisfer_peakstocksdev.sql chrisfer_wrdp1.sql col_cats.tgz Contractor Agreement.zip dbKalendar.skz delic_news_source.zip domains thorsten.ods earth.1.png earth_new.png Earth.org Tech Architecture.pdf earth.png earth_user.png edu-best-moments-03-07.iso emailnotify_v0.3.1.tar embed_code.diff error_log export_recent_to_flickr.phps Fax_5804327e9_071618086384_20081021_1053.pdf Fax_5804327e9_071618086384_20081021105525.pdf FirePHPLibrary-FirePHPCore-0.1.2.tar.gz footer_blank.png fseidels-btsco-05a.tar.bz2 game.html game_manager_db.png get-custom.zip Harvest.wdgt.zip index(2).php index.php JanBorsodi.zip jquery-1.2.6.min.js KARTA.jpg kathynida.com.wordpress.2008-10-03.xml kde3to4-0.0.4.tar.gz keys live-search-popup.1.4.7.zip logo.png logo-small.png lwp-15.0.skz MailWidget209.zip multipage.zip munin.conf onenews.zip oren_converted.txt oren_sreebnys_weblog_keywords_konverted1.txt oren_sreebnys_weblog_keywords_konverted.txt oren_sreebnys_weblog.txt pages.rar Paper-Deals-colour-header.jpg paper-deals-content.jpg Paper-Deals.jpg PaperDeals-Logo.jpg Paper-Deals-white-header.jpg pd_banner.jpg pd_content_banner.jpg peerreviewplugin.zip php_mailing.pdf php.zip pmh2421a_080824 pmh2421a_080824.txt Products.CacheSetup-1.2.tar.gz prologue_internal.tar.gz promotionalcodes.rar promotio_promotionalcodes(2).sql promotio_promotionalcodes.sql publickey r3r_lydd(2).zip r3r_lydd.zip r3r.rar R3R.rar r3rwordpress.sql Rogon — Videoportal — Table Template — 080915 1725 — SR.rar sampleetdom.zip sample PDF for Thorsten.pdf Sample PDF( Page 58).pdf sandbox_comments.diff Sandbox.zip sandpress.zip screenie.jpeg screen.png screenshot35.png search_with_embedded_video.png site-lisp.zip snapshot1.png specialoffers(2).sql special_offers_button_anim2.rar specialoffers.org.uk_2008.10.07_04.42 special_offers.rar specialoffers.sql SQL – Joe Celko’s Trees And Hierarchies in SQL for Smarties.pdf tmp.txt To Do 2.1.zip transmission_cache.diff twit3.gif twit5.gif types.rar validation.warnings.fixes.8841.patch widgetbox.diff WIP.jpg wordpress.2008-09-19.xml wordpress.2008-09-25.xml wordpress.2008-09-28.xml wordpress.2008-09-29.xml wordpress.2008-09-30(2).xml wordpress.2008-09-30(3).xml wordpress.2008-09-30.xml wordpress.2008-10-01(2).xml wordpress.2008-10-01(3).xml wordpress.2008-10-01.xml wordpress.2008-10-02.xml wordpress.2008-10-06.xml wordpress.2008-10-11.xml wordpress.2008-10-16.xml wordpress.2008-10-16.zip wordpress.2008-10-19.xml wordpress.2008-10-21.xml wordpress.2008-10-23.xml wordpress-2.6.2(2).tar.gz wordpress-2.6.2.tar.gz wordpress-mu-2.6.1.tar.gz wordpress-stats.sql wordpress-test(2).sql wordpress-test.sql wordpress_wxr.xml wp-1.xml wp-2.xml wp-3.xml wp-4.xml wp-5.xml wp-6.xml wp-7.xml wp-8.xml wp-content wp-includes_update.patch wp-maclean.tgz wp-tag-a-e.xml wp-tag-f-i.xml wp-tag-j-m.xml wp-tag-m-q.xml wp-tag-r-t.xml wp-tag-u-z.xml wp-wbx-widget.php xmlrpc-2.2.1.tar.gz Run a Java applet
09-28-08.MP3 13775-KmailNotify-0.1.theme.bz2 20080923-earthDEV.sql 27503-iKmailNotify16.tar.gz 28165-cm81.skz 32434-justmail.tar.gz 47469-glassartamarok2.tar.gz 78061-plasma-applet-quicklauncher-0.4.tar.gz 78494-prettytasks-0.0.0.3.tar.gz 80.248.217.41.sql.zip 84618-qalculate_applet-0.3.tar.gz Abel Herrero.zip addcommentmacro(2).zip addcommentmacro.zip adobeair_linux_b1_091508.bin adsense-manager.zip ajaxContact.zip ajax_jquery_form.zip ajax-validation.php alps_problem.png arrow1.6.jpg ati-driver-installer-8-8-x86.x86_64.run autoboss_v2_pc_m7shsh_com.rar automattic_latex_fix.diff avatar.jpeg bbctransmission(2).diff bbctransmission.diff boundaries.png Brief for Copy of Specialoffers – Paperdeals.co.uk.ppt btn_donateCC_LG.gif carp_le_4.zip casey-anthony.png cenew(2).sql cenew(3).sql cenew.sql cenew.sql.zip Change to SpecialOffers.org.uk – 18th Sept 2008.ppt chrisfer_peakstocksdev.sql chrisfer_wrdp1.sql col_cats.tgz Contractor Agreement.zip dbKalendar.skz delic_news_source.zip domains thorsten.ods earth.1.png earth_new.png Earth.org Tech Architecture.pdf earth.png earth_user.png edu-best-moments-03-07.iso emailnotify_v0.3.1.tar embed_code.diff error_log export_recent_to_flickr.phps Fax_5804327e9_071618086384_20081021_1053.pdf Fax_5804327e9_071618086384_20081021105525.pdf FirePHPLibrary-FirePHPCore-0.1.2.tar.gz footer_blank.png fseidels-btsco-05a.tar.bz2 game.html game_manager_db.png get-custom.zip Harvest.wdgt.zip index(2).php index.php JanBorsodi.zip jquery-1.2.6.min.js KARTA.jpg kathynida.com.wordpress.2008-10-03.xml kde3to4-0.0.4.tar.gz keys live-search-popup.1.4.7.zip logo.png logo-small.png lwp-15.0.skz MailWidget209.zip multipage.zip munin.conf onenews.zip oren_converted.txt oren_sreebnys_weblog_keywords_konverted1.txt oren_sreebnys_weblog_keywords_konverted.txt oren_sreebnys_weblog.txt pages.rar Paper-Deals-colour-header.jpg paper-deals-content.jpg Paper-Deals.jpg PaperDeals-Logo.jpg Paper-Deals-white-header.jpg pd_banner.jpg pd_content_banner.jpg peerreviewplugin.zip php_mailing.pdf php.zip pmh2421a_080824 pmh2421a_080824.txt Products.CacheSetup-1.2.tar.gz prologue_internal.tar.gz promotionalcodes.rar promotio_promotionalcodes(2).sql promotio_promotionalcodes.sql publickey r3r_lydd(2).zip r3r_lydd.zip r3r.rar R3R.rar r3rwordpress.sql Rogon — Videoportal — Table Template — 080915 1725 — SR.rar sampleetdom.zip sample PDF for Thorsten.pdf Sample PDF( Page 58).pdf sandbox_comments.diff Sandbox.zip sandpress.zip screenie.jpeg screen.png screenshot35.png search_with_embedded_video.png site-lisp.zip snapshot1.png specialoffers(2).sql special_offers_button_anim2.rar specialoffers.org.uk_2008.10.07_04.42 special_offers.rar specialoffers.sql SQL – Joe Celko’s Trees And Hierarchies in SQL for Smarties.pdf tmp.txt To Do 2.1.zip transmission_cache.diff twit3.gif twit5.gif types.rar validation.warnings.fixes.8841.patch widgetbox.diff WIP.jpg wordpress.2008-09-19.xml wordpress.2008-09-25.xml wordpress.2008-09-28.xml wordpress.2008-09-29.xml wordpress.2008-09-30(2).xml wordpress.2008-09-30(3).xml wordpress.2008-09-30.xml wordpress.2008-10-01(2).xml wordpress.2008-10-01(3).xml wordpress.2008-10-01.xml wordpress.2008-10-02.xml wordpress.2008-10-06.xml wordpress.2008-10-11.xml wordpress.2008-10-16.xml wordpress.2008-10-16.zip wordpress.2008-10-19.xml wordpress.2008-10-21.xml wordpress.2008-10-23.xml wordpress-2.6.2(2).tar.gz wordpress-2.6.2.tar.gz wordpress-mu-2.6.1.tar.gz wordpress-stats.sql wordpress-test(2).sql wordpress-test.sql wordpress_wxr.xml wp-1.xml wp-2.xml wp-3.xml wp-4.xml wp-5.xml wp-6.xml wp-7.xml wp-8.xml wp-content wp-includes_update.patch wp-maclean.tgz wp-tag-a-e.xml wp-tag-f-i.xml wp-tag-j-m.xml wp-tag-m-q.xml wp-tag-r-t.xml wp-tag-u-z.xml wp-wbx-widget.php xmlrpc-2.2.1.tar.gz Run a command-line utility
09-28-08.MP3 13775-KmailNotify-0.1.theme.bz2 20080923-earthDEV.sql 27503-iKmailNotify16.tar.gz 28165-cm81.skz 32434-justmail.tar.gz 47469-glassartamarok2.tar.gz 78061-plasma-applet-quicklauncher-0.4.tar.gz 78494-prettytasks-0.0.0.3.tar.gz 80.248.217.41.sql.zip 84618-qalculate_applet-0.3.tar.gz Abel Herrero.zip addcommentmacro(2).zip addcommentmacro.zip adobeair_linux_b1_091508.bin adsense-manager.zip ajaxContact.zip ajax_jquery_form.zip ajax-validation.php alps_problem.png arrow1.6.jpg ati-driver-installer-8-8-x86.x86_64.run autoboss_v2_pc_m7shsh_com.rar automattic_latex_fix.diff avatar.jpeg bbctransmission(2).diff bbctransmission.diff boundaries.png Brief for Copy of Specialoffers – Paperdeals.co.uk.ppt btn_donateCC_LG.gif carp_le_4.zip casey-anthony.png cenew(2).sql cenew(3).sql cenew.sql cenew.sql.zip Change to SpecialOffers.org.uk – 18th Sept 2008.ppt chrisfer_peakstocksdev.sql chrisfer_wrdp1.sql col_cats.tgz Contractor Agreement.zip dbKalendar.skz delic_news_source.zip domains thorsten.ods earth.1.png earth_new.png Earth.org Tech Architecture.pdf earth.png earth_user.png edu-best-moments-03-07.iso emailnotify_v0.3.1.tar embed_code.diff error_log export_recent_to_flickr.phps Fax_5804327e9_071618086384_20081021_1053.pdf Fax_5804327e9_071618086384_20081021105525.pdf FirePHPLibrary-FirePHPCore-0.1.2.tar.gz footer_blank.png fseidels-btsco-05a.tar.bz2 game.html game_manager_db.png get-custom.zip Harvest.wdgt.zip index(2).php index.php JanBorsodi.zip jquery-1.2.6.min.js KARTA.jpg kathynida.com.wordpress.2008-10-03.xml kde3to4-0.0.4.tar.gz keys live-search-popup.1.4.7.zip logo.png logo-small.png lwp-15.0.skz MailWidget209.zip multipage.zip munin.conf onenews.zip oren_converted.txt oren_sreebnys_weblog_keywords_konverted1.txt oren_sreebnys_weblog_keywords_konverted.txt oren_sreebnys_weblog.txt pages.rar Paper-Deals-colour-header.jpg paper-deals-content.jpg Paper-Deals.jpg PaperDeals-Logo.jpg Paper-Deals-white-header.jpg pd_banner.jpg pd_content_banner.jpg peerreviewplugin.zip php_mailing.pdf php.zip pmh2421a_080824 pmh2421a_080824.txt Products.CacheSetup-1.2.tar.gz prologue_internal.tar.gz promotionalcodes.rar promotio_promotionalcodes(2).sql promotio_promotionalcodes.sql publickey r3r_lydd(2).zip r3r_lydd.zip r3r.rar R3R.rar r3rwordpress.sql Rogon — Videoportal — Table Template — 080915 1725 — SR.rar sampleetdom.zip sample PDF for Thorsten.pdf Sample PDF( Page 58).pdf sandbox_comments.diff Sandbox.zip sandpress.zip screenie.jpeg screen.png screenshot35.png search_with_embedded_video.png site-lisp.zip snapshot1.png specialoffers(2).sql special_offers_button_anim2.rar specialoffers.org.uk_2008.10.07_04.42 special_offers.rar specialoffers.sql SQL – Joe Celko’s Trees And Hierarchies in SQL for Smarties.pdf tmp.txt To Do 2.1.zip transmission_cache.diff twit3.gif twit5.gif types.rar validation.warnings.fixes.8841.patch widgetbox.diff WIP.jpg wordpress.2008-09-19.xml wordpress.2008-09-25.xml wordpress.2008-09-28.xml wordpress.2008-09-29.xml wordpress.2008-09-30(2).xml wordpress.2008-09-30(3).xml wordpress.2008-09-30.xml wordpress.2008-10-01(2).xml wordpress.2008-10-01(3).xml wordpress.2008-10-01.xml wordpress.2008-10-02.xml wordpress.2008-10-06.xml wordpress.2008-10-11.xml wordpress.2008-10-16.xml wordpress.2008-10-16.zip wordpress.2008-10-19.xml wordpress.2008-10-21.xml wordpress.2008-10-23.xml wordpress-2.6.2(2).tar.gz wordpress-2.6.2.tar.gz wordpress-mu-2.6.1.tar.gz wordpress-stats.sql wordpress-test(2).sql wordpress-test.sql wordpress_wxr.xml wp-1.xml wp-2.xml wp-3.xml wp-4.xml wp-5.xml wp-6.xml wp-7.xml wp-8.xml wp-content wp-includes_update.patch wp-maclean.tgz wp-tag-a-e.xml wp-tag-f-i.xml wp-tag-j-m.xml wp-tag-m-q.xml wp-tag-r-t.xml wp-tag-u-z.xml wp-wbx-widget.php xmlrpc-2.2.1.tar.gz Using a widget plug-in

It also says:

If any of these keys are present in your information property list file and it’s located outside of /Library/Widgets/, a dialog is presented to users upon your widget’s first load. The dialog asks them whether or not they want to use your widget. If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved. If the request is denied, your widget is not allowed to load. If your widget is loaded again, the request is made to the user again.

If you attempt to use any of these resources without first specifying them in your widget’s information property list file, your attempt fails.

So I loaded a sample widget from Apple’s Developer tools called Which – it gives you a little box that calls the command line which utility (a unix command that shows you where a given program resides in your file system).

I installed it on both my Powerbook and my iMac – and got no warning whatsoever.

Dan who sits in a cubicle outside my office, tried installing a widget called QuickCommand, which gives you a basic terminal environment in the Dashboard and allows you to store four basic unix commands to execute in that terminal. Dan reported getting a message on installation that said:

QuickCmd is being run for the first time. Are you sure you want to run this widget?”
[Decline] [Accept]

I tried downloading the widget and again, got no such message.

But even if everybody saw the warning, there is no wording in there about the fact that this widget contains commands that could cause security risks, nor anything about what the risks of installing a random widget might be.

It would be trivial to write a widget that appeared to do something useful while executing all sorts of unix commands – like searching your disk for credit card numbers and passwords and forwarding them on to random email addresses.

Am I the only one who’s worried about the security implications of Dashboard? I expect it’s entirely possible that we’ll see the kinds of widespread exploits on the Mac platform that we’ve been fighting for years on Windows.

Sigh.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s