Filed under: Software
The Problem with Widgets
I'm not going to make an active link to this site, but I am going to tell you about it and then list the link, and if you really want to check it out, then you can copy and paste the address in your address bar. Here's the address: http://stephan.com/widgets/zaptastic/
Now, if you jump over to that site, it automatically downloads a widget and it also automatically installs it if you are on Tiger, using Safari, and you haven't bothered to disable the "Open 'safe' files after downloading" feature.
So what? How's that a risk? Read more after the jump.
First things first: Before we do this go to Safari—>Preferences and under General uncheck the "Open 'safe' files after downloading" feature.

Now, go to zaptastic: a blueprint for a widget of mass destruction, notice that something suddenly downloads without you asking for it, and read the long horrible story of how widgets could all go horribly wrong and problematic for the Mac community, becoming, essentially spyware and annoyware for Macs. Doom and gloom. Doom and gloom!
Eh, just don't ever recheck that check box. And whatever you do, do not look at the goatse.cx widget. Do not look at the goatse; if you do not know what the goatse is and you are curious, then read up on it at Wikipedia. Never look at the goatse!
Thanks, Cap'n Hector for the tip!

![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 2)
matt said 4:18PM on 6-16-2005
One could set ~/Library/Widgets to read-only and still enjoy "Open safe files after downloading." The offending widget will still be downloaded, but not installed in the Widgets folder since it doesn't have permission. Then just look in your default downloads location and delete the unwanted widget.
That's one idea.
Reply
Kevin said 4:18PM on 6-16-2005
Well the point is apple didn't see this coming, they should have a place where we can remove widgets without using the dashboard. Apple should also allow us to customize the "safe" files that safari will open automatically.
Reply
Cadmium said 4:18PM on 6-16-2005
There is a way to remove widgets without going to the dashboard. It's called activity viewer.
The author does have a point however. Safari should not launch anything automatically.
Reply
Wai-Tung Leung said 10:26AM on 7-02-2005
So has anyone warned Apple yet about this little problem? (And I'm not doing it myself since I don't have Tiger) :-/
Reply
holophile said 4:18PM on 6-16-2005
The really ironic thing about this is that now Apple created some annoying message (that you can't disable) which warns you each time you download some file that could potential contain malicious code.
But they don't display that message when you download some arbitrary little widget.
Granted, based on your definition, this is not particularly malicious. I mean, it's not trying to gain admin rights to my system.... at least not yet.
But, at the very least, this could lead to some of the same adware/spyware problems that plague that "other" well-known OS.
Reply
hadley stern said 4:18PM on 6-16-2005
C.K., that is a great find....and very scary. It's also surprising, given how we all know Apple prides itself on being the "safer" OS. What is even scarier is that this widget (not to give anyone any ideas) could be combined with automator to wreck all kinds of havoc.
Apple, plug the hole!
Reply
kent said 4:18PM on 6-16-2005
would littlesnitch help prevent this from occuring?
Reply
Cap'n Hector said 4:46PM on 7-05-2005
Sorry I forgot to warn you guys when I sent the link over…Really should've mentioned that it downloads the widget.
You can remove widgets just by going to ~/Library/Widgets and pulling them…
And I don't think you can auto-install to any location other than ~/Library/Widgets.
Reply
Jack said 4:18PM on 6-16-2005
I have been using Tiger for a few days and I can honestly say without a doubt that while the system on a whole does feel faster in many situations it did not previously, Dashboard is a major annoyance and pain in many ways. Now learning about this, I really have to ask what the Apple IT guys were smoking? This Dashboard feature was hyped to death. And now it's a security risk? Good lord!
Reply
bryan said 4:18PM on 6-16-2005
Jack - if you dont like it then dont use it, simple huh?
Reply
Bill Eccles said 4:18PM on 6-16-2005
Now, a better question yet, is just how the heck do you get rid of a Widget?
I mean, without going to ~/Library/Widgets, that is. After all, the MacOS is supposed to be about user-friendliness, but if you have a Widget that you don't want anymore, you're relegated to Widget Hell.
To quote from Apple's own help file on the matter:
"You cannot remove widgets from the Widget Bar or change their order."
That pretty well sucks.
I'm thinking, by the way, of writing a Widget called "Self-Installing Annoying Widget from Hell That Will Do Nothing but Clutter Up Your Widget Bar (and Duplicate Itself Until You Have Thirty Bars of Widgets With the Widgets You Want Interspersed Randomly Throughout)."
Then again, I have better things to do.
Reply
fernando said 4:18PM on 6-16-2005
I was under the assumption that widget were just xml, javascript, html, and other web tech. Also, don't all these play in their own sandbox under one process? I don't see how given these circumstances that any widget could get access to critical system files or key logging, etc.
Reply
veggiedude said 4:18PM on 6-16-2005
The 'main' widgets are installed at the root level widgets directory, and thus useable by all users. The ones you download, go to your user folder of widgets (in Library). Just wanted to make that distinction. The only thing you need to be aware of, just don't go widget crazy. Each one can take up 20MB of RAM. Use wisely!
Reply
Peter da Silva said 4:18PM on 6-16-2005
Ever since Dashboard was announced this has been something I've been worried about, because a widget is just a special kind of web page, but widgets can run Cocoa (native code) elements. Being able to run native code elements from a browser window has been the BIG security hole at Microsoft for getting on for a decade now.
Being able to run a widget that doesn't contain any native code elements from a browser is not inherently any more dangerous than displaying a web page from a browser. Because a widget is just a packaged fancy web page. It would have been surprising if you couldn't run at least some widgets from the browser. Because, again, it's just a web page.
But... as far as I have been able to tell, you can only run the special kinds of widgets that include native code elements from Dashboard. So what you're looking at isn't a security hole. That doesn't mean there is one, or there isn't one, but this isn't a sign one way or the other.
Reply
Jack said 4:18PM on 6-16-2005
Bryan, yes I don't have to use them. But the fact that there is a hole that allows acess to them is disturbing. And if you've ever done tech support you would know that sometimes users who are complaining about a bogged down system won't do the obvious thing like disabling something as silly as Widgets.
At 200MB of RAM per widget, 'that's a spicy meatball' to say the least.
Reply
Peter da Silva said 4:18PM on 6-16-2005
Whoa.
Whoa.
Let me unconditionally reverse everything I said there. I didn't go through to the site because I didn't want an annoying widget in my browser. I didn't realise that this thing was installing an annoying widget in Dashboard.
In Dashboard.
OK, Apple, that's bad. That's really bad. A widget can do anything it wants to, once it's been accepted, and people are used to accepting them. This is just asking for abuse.
Apple needs to back out of considering widgets as "safe" files, *and* they need to make "open safe files" an option, not the default behaviour.
And they need to do it now.
Reply
bistrojack said 4:18PM on 6-16-2005
Has anyone noticed that widgets consume rather large amounts of RAM?
Flight Tracker: 25.5 MB
Weather: 10.5 MB
Yahoo Traffic: 10.12 MB
Even the world clock uses 5.3 MB.
Load up a page of widgets and watch your system going to swap.
Reply
Daniel Pritchard said 11:47PM on 7-23-2005
How is there no warning??? I just clicked to download a widget, and I get the same annoying-ass warning I do when I try to download a .DMG, or even an .EXE! Here's the warning I got when downloading a widget from Apple's site. Sheet in Downloads window, with the following text:
“Sound Volume.wdgt” contains an application.
Are you sure you want to continue downloading “Sound Volume.wdgt”?
I'm not even interested in going to that site, but how can they bypass the Safari nag screen?
Reply
Dale said 4:18PM on 6-16-2005
Talk about a storm in a teacup. How is a widget redirecting you to a porn site any different to a link in a web browser redirecting you to a porn site?
As the article notes, even porn sites stop you closing browser windows ie the equivalent of not removing a widget from the Dashboard interface.
Are you complaining about browsers as well?
Dashboard widgets run in their own process ('sandbox') and Apple have put limits on what a widget can do. They're also subject to the normal security precautions built in to Mac OS X accounts ie they can't run as root, etc. Did you even read the developer documentation before scaremongering like this?
Please get some facts and get back to us if you want us to take you or this developer seriously.
Reply
Dale said 4:18PM on 6-16-2005
bistrojack: If your Mac has to swap memory because you're running 3 widgets that consume 40MB of RAM then you need to either get more RAM or buy a new Mac.
Mac OS X's virtual memory subsystem can easily cope with 40MB RAM allocated to 3 widgets who sit in the background not using your CPU. Mac OS X simply moves this 'not being used' RAM out of the way and uses your real RAM for what you're doing at the moment.
Apple were aware of this when making Dashboard, and they designed Dashboard to have little impact when not active. They also strongly encourage Dashboard developers to do the same.
This isn't a real problem.
Reply