Widget Authentication Hijacking Vulnerability

[Captain Code]

That is something that they should improve. I don't think that sudo should be allowed to execute at all via Dashboard. Having it able to run any command whatsoever isn't really a good idea.

Just imagine some widget that is not sleeping running the command sudo rm -rf / every 2 seconds.

Most of the time it would fail but if you then sudo xxxx something else in Terminal you could wipe out most of your HD in seconds.

This command would have to be hidden behind some real use for the widget but there's nothing stopping someone from making some dancing girl widget with a malicious intent.

In addition I think sudo timeout should be limited to each Terminal session/window and not a global setting.

[jzdziarski]

I think part of the problem is that the Dock probably uses the same tty as everything else running in the gui portion of the system. Being part of the dock seems dumb to me, as I'd think everything you launched off the doc would have it as a parent (including widgets).

But why have a grace period at all? Just make users type their password repeatedly. If someone needs to execute _that_ many commands as root, do a 'sudo -s' and get a root shell. I removed my timeout - no more problem.

But yeah, it'd be nice to limit it to one specific application or terminal.

[Viro]

This is where I think security is more important than usability. Apple should make the time out default.

Thanks for the tip.

[davidbrit2]

Hmm, interesting. But is there some reason that plain old applications can't do the same thing, i.e. was this not possible until the advent of Dashboard?

[jzdziarski]

Apps could do the same thing, but widgets I feel are a higher risk, because:

1. Nobody suspects javascript to be able to execute binaries (they were given an interface in widgets)
2. Widgets run in the background for the duration of the user's session
3. The dashboard is generally not visible to the user unless it is specifically activated
4. Users are likely to download and run many widgets simultaneously
5. Widgets, being mini-applications, cater to a much wider class of users
6. To make a good trojan all you have to do is write a few lines of widget code to make it interesting enough to download...and people will blindly download and run it (the cattle theory)

[davidbrit2]

Yeah, the risk is definitely higher, but I suppose the potential is about the same. In any case, this will be something to watch out for.

[fryke]

Shall I be the one painting the _really_ dark picture? We've always said that the Mac was inherently safe. That Mac viri wouldn't spread like Windows viri, because they couldn't use the Mac's E-Mail applications like they could with Windows, spreading stuff quickly all over the place.

1.) Someone writes a malicious Dashboard widget that looks delicious.
2.) Someone writes a Windows worm/virus combo that spreads all over the net.
3.) The worm starts using the Windows machines and will be sending out millions of E-Mails containing the Dashboard widget.

Windows, in this dark picture, will be a needed part. But it's not like there weren't any Windows machines out there, right?

[jzdziarski]

It looks like c|net thought this was important enough to write an article about:

http://news.com.com/Widget+security+...5752&subj=news

Lets hope that Apple decides to do something constructive and fix it.