February 2006: This issue was long ago resolved by Apple. I've restored this page to its original, pre-slashdot state. I've also kept the later, commented version available. If you'd like something new to read, check out my new blog,

Scattered Thoughts

Topics include Macintosh, politics, and Web 2.0

blueprint for a widget of mass destruction
by stephan.com

Now we're all sons of bitches
- Kenneth Bainbridge, director of the Trinity tests
Now I am become Death, the destroyer of worlds
- J. Robert Oppenheimer, quoting the Bhagavad Gita
Welcome to zaptastic.

If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the <meta> tag, a slightly evil widget has been installed in your dashboard. It could be a lot worse. There's a slightly more evil widget linked lower in this page, and I think it would be possible to make a much more destructive widget. I gave you something fairly tame.

You're welcome.

Other browser users will probably find it on their desktop.
In case the autoload doesn't work, here's a link: zaptastic

I picked up Tiger at launch time from my local Apple store, brought it home, and got inspired to start in on a widget the next day. My flores and coras widgets are taking off like crazy. Over the last few days I've figured out quite a lot, including the fact that there are some potentially very annoying things one can do with a widget.

Let's start with autoinstall. I happen to like it, actually, I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it. Type "remove widget" into Apple Help, and you find out:

You cannot remove widgets from the Widget Bar or change their order.
Most of those reading this are probably aware of the workaround - just remove the offending widget from ~/Library/Widgets/. The Dashboard bar is not very good about updating when a widget is removed, but eventually it figures things out.

The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of thirty seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard, and you're stuck with it. It doesn't even need any Javascript. Oh, hell, why not? (warning: oh me oh my, this is SO VERY NSFW) Click on this: goatse.cx

Aren't you glad I didn't autoload THAT one?

Annoying, but not actually deadly. Unless, of course, some porn site installs 'chickswithdicks.wdgt' and your heavily armed and unstable spouse sees it. Actually, now that I look at that on my Dashboard, I'm kinda proud of it. Mr. Goatse, wherever you are, I tip my hat. And I hope you can sit down now.

Next, let's talk about zaptastic. I went to the trouble of making it ostensibly useful: it is a countdown timer for the launch of alleged PayPal competitor GreenZap. GreenZap is probably a Ponzi scheme, but do remember that PayPal gave away money when they were new, and it really would be a good idea on general principle if they had competition. Decide for yourself if this is of any utility. That really wouldn't be necessary, though, because the real point of the widget is that when it initializes or you click on it, it takes you to the GreenZap site, with my affiliate code, to try to get you to sign up. GreenZap is a pretty benign place to send you; I'm sure you can think of some less friendly destinations. Otherwise, it's rather well behaved, at least until June 1, after which it will take you there on every refresh.

This is annoying.

With one more line of code, the more evil version that I promised earlier takes you to GreenZap every time the widget is shown. This means that once you install zaptastic_evil, every time you launch Dashboard, your web browser goes to the GreenZap site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget.

You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer. Write that down if you're not clear on the concept, on a piece of paper, not a Dashboard sticky, because you won't be able to read it once you've installed this. Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. Certainly there is no user documentation for that.

This is very annoying.

I am SO not kidding! Do not install zaptastic_evil unless you actually know how to delete it and reboot your computer. zaptastic_evil shouldn't do any real damage, it's not that smart, but I take no responsibility if it does.

This said, here it is: zaptastic_evil.

This could be taken further, of course, using all the nasty tricks developed by the pr0n industry over the last few years - opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open - Apple's boilerplate code tells you to put your widget to sleep when the Dashboard closes, and warns you to make sure you do this, so I assume you could keep opening pages and doing other things. I haven't looked, but I think you can make a widget window move around; I know you can resize it as big as you like.

I promised "a blueprint for a widget of mass destruction," so let's take this a bit further. Dashboard widgets are constrained to run in a very safe Javascript sandbox by default. However, a widget creator can make plugins for a widget that (I think) can do anything an app can do, not to mention being able to run any command line process:

Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard Programming Guide , p 57

Dashboard provides you with a method for using command-line utilities and scripts within your widget. With this capability you can use any standard utilities included with the system or any utilities or scripts you include within your widget.
ibid., p 61

"So what?" you may say, "The user gets warned.". Two words: social engineering. The Macintosh user base is rapidly being conditioned that widgets are harmless little toys, and Apple's warning is fairly innocuous:

goatse.cx is being run for the first time.
Are you sure you want to run this widget?

That doesn't look particularly threatening. I haven't tried any actually destructive things; I would assume that getting root is a lot easier when you're starting from inside the host box. I wonder how many of the gmail passwords entered by users in flores and coras are the same as the root password?

It would be obscenely easy for me to harvest passwords in those applications, by the way... but I don't. I could just generate hits on http://stephan.com/watch.html?username:password and then go read my system logs. - - [05/May/2005:02:49:11 -0400] "GET /widgets/flores/index.html?foo:bar HTTP/1.1" 200 5758

Even without root, though, there are some pretty interesting things you could do. A widget, for example, could use time when it is hidden to add <meta> tags to every .html page stored in the users home directory. If the user happens to be running a web server - or even uploading files to one - this could propagate a widget to other machines. I'm not really a security expert, I'm sure others can think of worse things to do.

Apple has significantly lowered the bar for malicious entities to install and execute damaging code in OSX. Honestly, I don't think this is that big of a deal - causing real damage is likely a bit harder than I make it sound.

Ultimately, it all comes down to Gödel's incompleteness theorem and Turing's halting problem: you can't predict what a program will do until you run it. There is ultimately no solution for this, and you have to strike a balance between usability and security. There will always be viruses, both in the real world and in the information world; that's why humans have immune systems, and that's why we get sick anyway. If there was a way around the incompleteness problem, natural selection probably would have found it a few million years ago.

I think Apple has done a pretty good job of it - the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven's sake, PLEASE provide a way to remove widgets, ideally from OUTSIDE the Dashboard. That's just stupid.

Administrators concerned about security may wish to disable installation of new widgets; from my testing at an Apple store, it appears that they do it by denying write privileges to ~/Library/Widgets/

The rest of you... just watch your back.

If you found this information useful, please consider making a donation to say "thank you." I've set the default donation above to $50: if you actually need this information, it's worth more than that, but send any amount you wish, or go shopping at my affiliates.
Or, better yet, hire me.

download another widget or explore the stephan.com web site.
mail: stephan@stephan.com

stephan.com is a consultant working primarily in mobile and wireless entertainment and media and interactive television, as well as an accomplished multimedia and performance artist, actor, and dancer. he has a real last name, he just doesn't like it.

zaptastic and this article are distributed for free under the Creative Commons Attribution-NonCommercial 2.0 license.
dashboard widgets
by stephan.com

a fresh bouquet of email

120x90 iTunes
Gin and Juice Private Idaho Hey Fuck You I'd Rather Dance With You

flag for ecotopia