It’s 11:30 p.m. Do you know what your widget is doing?
April 16th, 2008
by Al Merkrebs, April 16, 2008 @ 11:37 a.m. PDT
Widget security is a topic that seems to lurk in the background, not getting much attention. One example of this is the huge RSA Security Conference held last week in San Francisco. It did not have ANYÂ panels on widget security.
A MacWorld article on widget security said,
“Widgets are owned by the user, and can do anything that a user can do. For instance, they can remove files from your home directory without asking permission. They can run anything from the command line that a user can. They can call any AppleScript that a user can.”
Yesterday, one of the W3C drafts on widgets stated that, “When compared to Web browsers, some market-leading widget user agents have a comparatively relaxed security model that allows an instantiated widget to read, write, modify, and/or delete files, automatically upload files, automatically download files, execute local applications, and even perform cross-domain request to “mash-up” data from multiple different sources. All without the end-user having any indication that their privacy and security might be at risk.” (Bold formatting is mine.)
So how does a typical user address this problem? Most of us look the other way and just click the “Install Widget” button. We are often told to only download software from sources that we trust. Well, who ARE you supposed to trust, and WHY?
I would very much like to hear your comments on and experiences with this issue. I’ll be writing more on this subject.
Entry Filed under: widget in sight
RSS
Digg/widgetBeat
Facebook/widgetBeat's Universe
Linkedin/amerkrebs
Twitter/widgetBeat
YouTube/widgetBeat
Del.icio.us/widgetBeat
GMail/widgetBeat's Universe
Technorati/widgetBeat
MyBlogLog/widgetBeat
Blog/widgetBeat's Universe