I guess I wasn’t that crazy after all. Back in May 07 I was ruminating on using widgets as an attack tool. On Bugtraq yesterday someone posted a piece about widgets, namely for OS X, wherein an attacker could compromise a system.
From Bugtraq:
Both regularly retrieve data using the Twitter JSON API and parse whatever is returned with eval(). Both relax the dashboard’s JavaScript sandbox to enable the widget.system() call, which indeed amounts to the equivalent of system(3); i.e., if an attacker can take over the widget, the attacker can take over the user’s account (and, quite often, the system).
The data are retrieved through plain HTTP. Therefore, these widgets are vulnerable to at least:
– cross-site-scripting attacks through Twitter
– subversion of Twitter and, in the case of Twitterlex, also
subversion of a server used for update notifications
– man-in-the-middle attacks against local networks(Also, deliberately malicious behavior by either Twitter or the author of at least Twitterlex is a risk from a security perspective; if one was to assume malice, then Twitterlex could be classified as a nifty backdoor.)
Interesting reading.
[tags]Widgets, Javascript, Malicious Widgets[/tags]