Blueprint for a widget of mass destruction [via] (in short: Tiger users must uncheck the “Open safe files after downloading” option in Safari’s preferences):

Welcome to zaptastic. If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the tag, a slightly evil widget has been installed in your dashboard. It could be a lot worse.

The average user, who can’t find their Library folder with two mice and a spotlight, is stuck. It would take all of thirty seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard, and you’re stuck with it. It doesn’t even need any Javascript. Oh, hell, why not? Click on this: goatse.cx.wdgt.zip.

With one more line of code, the more evil version that I promised earlier takes you to GreenZap every time the widget is shown. This means that once you install zaptastic evil, every time you launch Dashboard, your web browser goes to the GreenZap site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget.

Even without root, though, there are some pretty interesting things you could do. A widget, for example, could use time when it is hidden to add <meta> tags to every .html page stored in the users home directory. If the user happens to be running a web server - or even uploading files to one — this could propagate a widget to other machines.