At 12:21 +0100 UTC, on 2005/05/09, Andrew Knott wrote:
> There's an article on Slashdot regarding an example widget that may
> perhaps show a security problem with widgets?
>
> http://it.slashdot.org/it/05/05/08/2131208.shtml?tid=172&tid=179&tid=3
>
> Do you (list) think this is something to be concerned about?
I would say so, yes.
Given the similarities to last year's URL scheme security hole I thought I'd
add it to my coverage of that problem. See
<http://www.euronet.nl/~tekelenb/playground/security/Dashboard/>.
Note that Apple has just silently removed the one sentence regarding user
authentication from the online Dashboard documentation:
<http://www.euronet.nl/~tekelenb/playground/security/Dashboard/#news200505121645>.
In doing so, Apple in fact acknowledges that there is no (functioning)
mechanism that allows users to grant/deny widgets privieleges.
Thus the current situation is that widgets having to declare the level of
access they want means nothing, as that declaration is automaticallt granted,
and Safari by default allows widgets to install themselves silently and from
any source.
--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Dashboard-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/dashboard-dev/email@hidden
This email sent to email@hidden
