There are alarms sounding in cyberspace that one of its better-publicized features could let porn scammers catch Apple's Tiger by the tail.
The feature in question, Dashboard, includes semitransparent layers of "everyday, often-used applications . . . that [flip] down over the user's desktop," including calculators and currency converters known as "widgets." But at least one developer claims to have found a way to change it from afar that could be exploited by malware writers like porn scammers with very little trouble.
But this developer, who calls himself only Stephan, says he did it to prevent such malware from being written, not to propagate it himself. He told Silcon.com he created a "slightly evil" miniature application under the name Zaptastic and posted it to his website. But he told AVNOnline.com via email that the last thing he wanted was to create his own malware.
"I don't want anyone giving me Dashboard widgets that I don't like," he told AVNOnline.com. "Period. So I wrote something to prevent it."
Apple declined to comment when reached by AVNOnline.com before this story went to press, treating the developer's claim, and Silicon.com's reporting of it, as a rumor. "We don't comment on rumors," an unidentified company worker said. But Apple is known to be encouraging developers otherwise to create their own Dashboard widgets.
Stephan told Silicon.com that Zaptastic would install itself automatically when Apple users visit his site by way of the Safari browser. AVNOnline.com attempted to visit the Zaptastic page on site, but clicking on the Zaptastic link – next to which he called Zaptastic "blueprint for a widget of mass destruction" – yielded a small warning pop-up saying, "The following page will automatically install an annoying widget. Proceed?"
He also told Silicon.com he thinks an auto-install program is "a great thing. "But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge. That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your Dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."
He told AVNOnline.com he wrote the program "partly just to try it. You know, I didn't really publicize the Zaptastic page at all, I just made a small link to it on my widgets page.
"Also, one person writing to me put it very well, [saying it’s like] an inoculation. After all, I made the most benign widgets I possibly could," he continued. "None of the three are really in any way harmful, unless you consider looking a picture of a stretched rectum harmful, and I went to a great deal of trouble to warn people. I'll note that from my statistics, less than one percent of visitors to that page downloaded the 'evil' version. I explained what it did in clear terms. Every link to that page on my site contains a warning."
He said he was "quite certain" another developer would have thought of such an idea sooner or later, even suggesting someone else may have done so without yet disclosing it.
"I even used GreenZap as an example because ... well, because if I was sure it was for real and I could actually make a lot of money from people signing up, I probably would have just released the non-evil widget," he said. "A countdown timer for GreenZap is just as useful as a countdown timer for, say, Star Wars that takes you to the fan site when you click on it. Exactly the same program."
Stephan said he received a message from another Netizen, whom he did not identify, who criticized him from writing and publishing his work before informing Apple, but aside from not knowing just whom to contact at the Cupertino computer giant, he feared he wouldn't get an answer if he did know.
"Further, I am dead set against security through obscurity; hiding a hole doesn't do anyone any good," he continued. "I said in my page I don't think Apple has done much wrong, and it's a shame they'll probably wind up taking away auto-install due to my article, because I think it's really cool."
How he got the idea in the first place may have been simpler: It grew out of "a side effect" when he worked on upgrading one of his other Dashboard widgets, Flores, an email monitor for those using Apple Mail or Gmail. While awaiting an answer from one floral merchant whose logo he wanted to borrow, he got approval from another, updated, and thought about trying a meta refresh tag to force the new version on a user just to get his original Flores out of the Internet.
"Well," Stephan said. "It worked! At least if you didn't already have the widget. I think it failed if you had it already, it wouldn't overwrite . . . which set my mind to wandering, and thinking it was pretty funny that I could plant stuff on the user end that way."
But he said he was surprised the Zaptastic widget was still getting hits. "Fourteen today, 26 yesterday, 36 the day before," he said. "I expect it to be dead in two more days. When I look back further, it seems to be an exponential decay, which is what I would expect."
Stephan added that he makes what he makes because he wanted them. Other widgets he has designed include an iTunes rating widget, Starman, named for a David Bowie song, that allows iTunes users to rate their songs with a single click.
