Sadville insecurity invites pickpockets

'All your Lindens are belong to us'

The Power of One eBook: Top reasons to choose HP BladeSystem

This story was updated to correct information about how QuickTime vulnerabilities are exploited in Second Life. An option for viewing media must first be selected.

More than two months after security researchers released exploit code that steals money from Second Life users, residents of the virtual world remain vulnerable to similar hacks, the researchers say.

The exploit, which will be demonstrated for the first time on Saturday at the Shmoocon hacker conference in Washington, allows attackers to take control of user avatars, those custom-made cartoon character that travel through the Second Life universe. Attackers can then force the avatar to exclaim "I've been hacked" as they pilfer virtual currency, which can be transfered into real dollars.

The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia.

Prior to the demo, Second Life had been viewed as something of a benign place. It may have offered little more than scantily clad avatars selling lap dances and fuzzy animals congregating in discos, but it was largely viewed as a refuge from the web and email, where drive-by downloads and malicious attachments regularly turn PCs into mincemeat. Not anymore.

"In these virtual worlds, it's a whole new ballgame," says Charlie Miller, who developed the exploit along with Dino Dai Zovi. "How do you give a user information to stop that? It's counter to all the training people know right now about how to be safe."

Sadville's Sad Security

QuickTime exploits can be triggered anytime a Second Life resident passes onto a piece of virtual land controlled by an attacker, as long as a user has enabled a feature to view media. From then on, Second Life's client software will automatically activate QuickTime and open malicious links that are secretly embedded into the territory. Because music and video are such an integral part to the virtual experience, such links are a common occurrence.

Shortly after the demo was disclosed in late November, Linden Lab's Joe Miller counseled users to block the exploit by turning off video feeds. And, of course, he also advised them to install the QuickTime patch once it became available. Indeed, more recent versions of the Second Life client require users to have the most recent version of QuickTime in order to accept video feeds.

But so far, no one at the company has done anything to prevent similar un-patched vulnerabilities from exploiting Second Life users in the future.

"Second Life from a security perspective is horribly broken," says Greg Hogland, author of the book Exploiting Online Games: Cheating Massively Distributed Systems. "When you look at Second Life, you know in your bones they simply did not think about security when they developed this application. It's broken from the inside."

Second Life representatives declined to comment for this story.

I Hack Myself

For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine.

The exploit was also developed by Dino Dai Zovi, who turned heads last year when an exploit he spent about nine hours writing was able to fell a fully patched MacBook Pro.

Miller also says QuickTime is only one of the potentially vulnerable engines that the Second Life client depends on to render sound or video. Separate engines called fmod and Vivox, which are used to deliver sound effects and voice chat respectively, could also put users at risk.

To be fair, Second Life isn't much different than other 3-D environments. Bugs in games like Halo and World of Warcraft, for example, have allowed players to cheat. But the Second Life hack is notable given its connection to real economies and the interest companies such as AMD and IBM have shown in using the virtual world as a platform for transacting business.

"It's not obvious if I take over some random person's computer how I make money off that," Miller says. "Here, it's really easy to steal their money and cash it out."

And so far, he adds, Linden Labs seems to have no mechanism in place for detecting such heists.

"They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time." ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.