« Latest listening | Main | Endless Frontier Postponed - Ed Lazowska editorial in Science »

May 5, 2005

Security in Mac Dashboard Widgets?

Apple's new Dashboard in the Tiger version of OS X allows you to place lots of handy little applications, called widgets, on a translucent layer over your main desktop, making it easy to call up the weather forecast, current time, measurement conversion utilities, etc.

It's a very nice addition to the OS, and I foresee lots of use of it.

Widgets are built using simple html, javascript, and stylesheets - all pretty easy and widely known technologies.

I was wondering what the security model for Dashboard widgets is. In Apple's Dashboard Programming Guide says, in its Security section:

sing certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.

Dashboard allows you to “declare your intentions” when you:

* Access files outside of your widget bundle
* Use a Web Kit or standard browser plug-in
* Access network resources
* Run a Java applet
* Run a command-line utility
* Using a widget plug-in

It also says:

If any of these keys are present in your information property list file and it’s located outside of /Library/Widgets/, a dialog is presented to users upon your widget’s first load. The dialog asks them whether or not they want to use your widget. If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved. If the request is denied, your widget is not allowed to load. If your widget is loaded again, the request is made to the user again.

If you attempt to use any of these resources without first specifying them in your widget’s information property list file, your attempt fails.

So I loaded a sample widget from Apple's Developer tools called Which - it gives you a little box that calls the command line which utility (a unix command that shows you where a given program resides in your file system).

I installed it on both my Powerbook and my iMac - and got no warning whatsoever.

Dan who sits in a cubicle outside my office, tried installing a widget called QuickCommand, which gives you a basic terminal environment in the Dashboard and allows you to store four basic unix commands to execute in that terminal. Dan reported getting a message on installation that said:

QuickCmd is being run for the first time. Are you sure you want to run this widget?"
[Decline] [Accept]

I tried downloading the widget and again, got no such message.

But even if everybody saw the warning, there is no wording in there about the fact that this widget contains commands that could cause security risks, nor anything about what the risks of installing a random widget might be.

It would be trivial to write a widget that appeared to do something useful while executing all sorts of unix commands - like searching your disk for credit card numbers and passwords and forwarding them on to random email addresses.

Am I the only one who's worried about the security implications of Dashboard? I expect it's entirely possible that we'll see the kinds of widespread exploits on the Mac platform that we've been fighting for years on Windows.

Sigh.

Posted by oren at May 5, 2005 1:40 PM

Comments

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?