widgetBeat…

It’s 11:30 p.m. Do you know what your widget is doing?

April 16th, 2008

by Al Merkrebs, April 16, 2008 @ 11:37 a.m. PDT

Widget security is a topic that seems to lurk in the background, not getting much attention. One example of this is the huge RSA Security Conference held last week in San Francisco. It did not have ANY panels on widget security.

A MacWorld article on widget security said,
“Widgets are owned by the user, and can do anything that a user can do. For instance, they can remove files from your home directory without asking permission. They can run anything from the command line that a user can. They can call any AppleScript that a user can.”

Yesterday, one of the W3C drafts on widgets stated that, “When compared to Web browsers, some market-leading widget user agents have a comparatively relaxed security model that allows an instantiated widget to read, write, modify, and/or delete files, automatically upload files, automatically download files, execute local applications, and even perform cross-domain request to “mash-up” data from multiple different sources. All without the end-user having any indication that their privacy and security might be at risk.” (Bold formatting is mine.)

So how does a typical user address this problem? Most of us look the other way and just click the “Install Widget” button. We are often told to only download software from sources that we trust. Well, who ARE you supposed to trust, and WHY?

I would very much like to hear your comments on and experiences with this issue. I’ll be writing more on this subject.

Entry Filed under: widget in sight