Feeds

Sadville insecurity invites pickpockets

'All your Lindens are belong to us'

Remote control for virtualized desktops

This story was updated to correct information about how QuickTime vulnerabilities are exploited in Second Life. An option for viewing media must first be selected.

More than two months after security researchers released exploit code that steals money from Second Life users, residents of the virtual world remain vulnerable to similar hacks, the researchers say.

The exploit, which will be demonstrated for the first time on Saturday at the Shmoocon hacker conference in Washington, allows attackers to take control of user avatars, those custom-made cartoon character that travel through the Second Life universe. Attackers can then force the avatar to exclaim "I've been hacked" as they pilfer virtual currency, which can be transfered into real dollars.

The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia.

Prior to the demo, Second Life had been viewed as something of a benign place. It may have offered little more than scantily clad avatars selling lap dances and fuzzy animals congregating in discos, but it was largely viewed as a refuge from the web and email, where drive-by downloads and malicious attachments regularly turn PCs into mincemeat. Not anymore.

"In these virtual worlds, it's a whole new ballgame," says Charlie Miller, who developed the exploit along with Dino Dai Zovi. "How do you give a user information to stop that? It's counter to all the training people know right now about how to be safe."

Sadville's Sad Security

QuickTime exploits can be triggered anytime a Second Life resident passes onto a piece of virtual land controlled by an attacker, as long as a user has enabled a feature to view media. From then on, Second Life's client software will automatically activate QuickTime and open malicious links that are secretly embedded into the territory. Because music and video are such an integral part to the virtual experience, such links are a common occurrence.

Shortly after the demo was disclosed in late November, Linden Lab's Joe Miller counseled users to block the exploit by turning off video feeds. And, of course, he also advised them to install the QuickTime patch once it became available. Indeed, more recent versions of the Second Life client require users to have the most recent version of QuickTime in order to accept video feeds.

But so far, no one at the company has done anything to prevent similar un-patched vulnerabilities from exploiting Second Life users in the future.

"Second Life from a security perspective is horribly broken," says Greg Hogland, author of the book Exploiting Online Games: Cheating Massively Distributed Systems. "When you look at Second Life, you know in your bones they simply did not think about security when they developed this application. It's broken from the inside."

Second Life representatives declined to comment for this story.

I Hack Myself

For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine.

The exploit was also developed by Dino Dai Zovi, who turned heads last year when an exploit he spent about nine hours writing was able to fell a fully patched MacBook Pro.

Miller also says QuickTime is only one of the potentially vulnerable engines that the Second Life client depends on to render sound or video. Separate engines called fmod and Vivox, which are used to deliver sound effects and voice chat respectively, could also put users at risk.

To be fair, Second Life isn't much different than other 3-D environments. Bugs in games like Halo and World of Warcraft, for example, have allowed players to cheat. But the Second Life hack is notable given its connection to real economies and the interest companies such as AMD and IBM have shown in using the virtual world as a platform for transacting business.

"It's not obvious if I take over some random person's computer how I make money off that," Miller says. "Here, it's really easy to steal their money and cash it out."

And so far, he adds, Linden Labs seems to have no mechanism in place for detecting such heists.

"They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time." ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.