Sadville insecurity invites pickpockets

This story was updated to correct information about how QuickTime vulnerabilities are exploited in Second Life. An option for viewing media must first be selected.

More than two months after security researchers released exploit code that steals money from Second Life users, residents of the virtual world remain vulnerable to similar hacks, the researchers say.

The exploit, which will be demonstrated for the first time on Saturday at the Shmoocon hacker conference in Washington, allows attackers to take control of user avatars, those custom-made cartoon character that travel through the Second Life universe. Attackers can then force the avatar to exclaim "I've been hacked" as they pilfer virtual currency, which can be transfered into real dollars.

The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia.

Prior to the demo, Second Life had been viewed as something of a benign place. It may have offered little more than scantily clad avatars selling lap dances and fuzzy animals congregating in discos, but it was largely viewed as a refuge from the web and email, where drive-by downloads and malicious attachments regularly turn PCs into mincemeat. Not anymore.

"In these virtual worlds, it's a whole new ballgame," says Charlie Miller, who developed the exploit along with Dino Dai Zovi. "How do you give a user information to stop that? It's counter to all the training people know right now about how to be safe."

Sadville's Sad Security

QuickTime exploits can be triggered anytime a Second Life resident passes onto a piece of virtual land controlled by an attacker, as long as a user has enabled a feature to view media. From then on, Second Life's client software will automatically activate QuickTime and open malicious links that are secretly embedded into the territory. Because music and video are such an integral part to the virtual experience, such links are a common occurrence.

Shortly after the demo was disclosed in late November, Linden Lab's Joe Miller counseled users to block the exploit by turning off video feeds. And, of course, he also advised them to install the QuickTime patch once it became available. Indeed, more recent versions of the Second Life client require users to have the most recent version of QuickTime in order to accept video feeds.

But so far, no one at the company has done anything to prevent similar un-patched vulnerabilities from exploiting Second Life users in the future.

"Second Life from a security perspective is horribly broken," says Greg Hogland, author of the book Exploiting Online Games: Cheating Massively Distributed Systems. "When you look at Second Life, you know in your bones they simply did not think about security when they developed this application. It's broken from the inside."

Second Life representatives declined to comment for this story.

I Hack Myself

For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine.

The exploit was also developed by Dino Dai Zovi, who turned heads last year when an exploit he spent about nine hours writing was able to fell a fully patched MacBook Pro.

Miller also says QuickTime is only one of the potentially vulnerable engines that the Second Life client depends on to render sound or video. Separate engines called fmod and Vivox, which are used to deliver sound effects and voice chat respectively, could also put users at risk.

To be fair, Second Life isn't much different than other 3-D environments. Bugs in games like Halo and World of Warcraft, for example, have allowed players to cheat. But the Second Life hack is notable given its connection to real economies and the interest companies such as AMD and IBM have shown in using the virtual world as a platform for transacting business.

"It's not obvious if I take over some random person's computer how I make money off that," Miller says. "Here, it's really easy to steal their money and cash it out."

And so far, he adds, Linden Labs seems to have no mechanism in place for detecting such heists.

"They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time." ®