I've reported this security issue under the Bug ID# 7377324.
Regards,
Michael
Am 09.11.2009 um 18:26 schrieb Perry The Cynic:
On Nov 7, 2009, at 12:53 PM, kwasi-ich.de wrote:
Hi,
I am trying to build in Keychain functionality within my Dashboard
Widget.
After I was able to get it running, I got some concerns.
At the moment I am trying to access passwords, stored by an other
application.
(The widget is meant to be an extension for that application)
But when running it, Keychain asks me to grant DashboardClient
access to that password.
Since all Widgets are run by DashboardClient, ALL Widgets would be
granted to access the password.
This is not the way it was intended and opens a security hole.
Since Widgets are only executed as Plug-Ins of DashboardClient they
are not stand alone applications.
They are created as Cocoa Bundles.
Is there a way to only grant access to a Bundle or Plug-In?
Also, how reasonable is it to do such things from within a Widget?
Even if I'd like to store my own passwords, Keychain would allow
all Widgets to access them, not only mine.
It's not an unreasonable thing to do. Sadly, the Dashboard host is
missing a piece of critical infrastructure (it ought to be a code
signing host but isn't, so far). Please file a bug report.
Meanwhile, it is perfectly true that any keychain item accessible by
one dashboard widget is accessible to all, which is not good; and
there really is no particularly good way around that (that I know of).
Cheers
-- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an
Accursed Cynic.
---------------------------------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
