'Proof of concept' Dashboard malware


Stephan.com is demonstrating just how easy it is for someone to install a malicious Dashboard widget. Using Safari to view this page on his site will install a widget called Zaptastic (here it is in ~Library/Widgets), which when clicked takes you to this site.

Stephan calls this a blueprint for a widget of mass destruction:

If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the tag, a slightly evil widget has been installed in your dashboard. It could be a lot worse. There's a slightly more evil widget linked lower in this page, and I think it would be possible to make a much more destructive widget. I gave you something fairly tame.

Of course, you can just remove the offending widget from ~/Library/Widgets/ and destroy it by putting it in the trash--it's no big deal.

However, as Stephan correctly notes, a person, group or company with no morals could install a widget that's annoying, spies on you or is destructive, and these decidedly aren't a good things...

What should be done about this? Should users be left to their own devices or does Apple need to take action?

What's your take?