Quote: Originally Posted by chris v At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This…

This is really a regrettable, inexcusable vulnerability. I know OS X is a complex project, but you would think someone in management or QA would take charge and put 2+2 together be…

Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasiona…

I'm wondering why we all did not see this coming before. I don't mean to come off as an alarmist, but the type of scenario workerbee is describing is within the realm of possibilit…

At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive th…

Quote: Originally Posted by workerbee Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/…

As an addendum to my previous post, I will go so far as to say Safari's definition of "safe" files should exclude widgets or any other executable code -- I have no problem with tha…

Quote: Originally Posted by Jeff Mincey At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the …

Quote: Originally Posted by Jeff Mincey At present I cannot side with those who see this as a security issue. (snip) But that's not what is happening here and thus I see peo…

User interaction to invoke the widget once installed is worth zero. 99% of Windows Outlook worms require the user to open the messages, which often have subjects like "I AM A V1RUS…

Just curious: Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big …

Quote: Originally Posted by wtmcgee To me, it doesn't seem like it's as big a deal as some are making it out to be. Yes it is, however, from what I have read, fixing it see…

Quote: Originally Posted by wtmcgee Just curious: Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that c…

Thanks for the info... I was curious as to what else they could do other than being a 'mere' web page.

Here's what else they could do, and it's far worse than either openURL or openApplication: Quote: Originally Posted by Apple Developer Documentation system Executes a command-…

Quote: Originally Posted by CharlesS This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other s…

Quote: Originally Posted by Person Man Well, not exactly. It's not a "bitch to get rid of" a widget... It is if you're a novice user and don't know about ~/Library/Widgets. …

Quote: Originally Posted by CharlesS Here's what else they could do, and it's far worse than either openURL or openApplication: So all a widget needs to do is widget.system("r…

Quote: Originally Posted by misc Doesn't running system commands require the "Are you sure?" agreed to? And what stops the widget from not displaying this and/or automatically a…

Quote: Originally Posted by CharlesS 1. It's already been shown that a site can make a widget look just like one of the default Apple ones. 2. If a user isn't intimately famili…

Quote: Originally Posted by misc Right, I understand that. But by doing a 'rm -fr' command from within a widget, Dashboard will raise the red flag and say "You sure?" Right? …

Nope! Your " Calculator" widget did not ask me for any kind of confirmation at all. It just ran, said its nasty little message, and displayed "EVIL" on the screen. From the looks …

APC sells their fingerprint sensor/software bundle for US$30 (there are 7 other suppliers for PC under US$40) while the only one I found compatible with my Mac OS X is a SONY at…

Considering that fingerprint sensors can be defeated with technology as simple as candy (yes, candy), sticky tape, or your breath, I'm not sure I'd be too concerned -- passwords ar…

Like tooki said they are very insecure, more of a showoff thing than security. Why do you want something like this anyway?