Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: "Brian K." <codesamurai () mac com>
Date: Thu, 19 May 2005 10:34:41 -0400

I don't understand why Safari has to open it at all.

It doesn't _have_ to, as there is a preference against it.

It's none of Safari's business to execute applications after you download them.

Well, Safari really doesn't execute the widgets. It'll allow for the install of the widget (which is just moving the file to ~/Library/ Widgets/), but the widget itself won't be executed until a user drags it out.

*However*, this does bring up different issue, and that is that someone could write a fake widget (e.g. a fake Tile Game) that uses the same Bundle Identifier (e.g. com.apple.widget.tilegame), and although the real Tile Game widget will be used if already dragged out, if new Tile Game widgets are dragged out, they will be the fake ones, as the ~/Library/Widgets content will be preferred in that case. However, the widgets dragged out from the real Tile Game will still reference the real widget. (Note: Stickies would probably be a more likely target.)

The sudo issue is a different issue entirely, is a well known issue, and goes beyond widgets. From a technical standpoint, widgets are no more dangerous than any other application that a user may download.

Dashboard widgets also run in the background (invisible to the user),

So can normal applications.

1. Any kid could code up a malicious widget and stick it on a website. It takes a lot more to code an application someone would want to download and insert malware into it (I realize both are fairly trivial, but now you can do it with javascript).

Yes, I agree. On a social/practical-level, due to "availability" of an "easier" programming language to make applications there is increased statistical risk. At the technical-level, it's no more dangerous than any other application (which can be dangerous). The "cool" aspect of widgets only affects the likelyhood that a bit of code will be run. The code is not any more or less dangerous than other application code. Moreover, you still have to take action to run a Widget, the Widget code is not executed without the user taking action to do so.

2. People are likely to download and run several widgets without checking them out or evaluating their credibility (when was the last time you grep'd for sudo in a widget?)

Again, risky user behaviors.

It's not like an application where, you boot it up and you notice there's some "funny" behavior,

It wouldn't need to seem "funny" in order to accomplish what it needs. The application could seem perfectly fine, just the same.

A widget could be sitting there, lost in obscurity, not even visible to a user and sending all your keychain passwords and other information somewhere.

And so could any application a user has executed taking advantage of sudo.

I think the bigger issue here is that widgets shouldn't have the ability to gain administrative control.

The issue is *any* application shouldn't have the ability to gain administrative control (by waiting for sudo to be done).

Javascript is supposed to be considered "safe". What concerns me more is that this is integrated with Safari, and since you can run widgets in a browser, I am starting to wonder if you could execute system commands remotely by visiting a website - e.g. instead of injecting the widget, whether you could run one or take advantage of the widget interfaces remotely.

Safari won't execute that stuff, though. All that "application"- level access is not available to widgets while viewed in Safari.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]