Feeds

Sadville insecurity invites pickpockets

'All your Lindens are belong to us'

Protecting against web application threats using SSL

This story was updated to correct information about how QuickTime vulnerabilities are exploited in Second Life. An option for viewing media must first be selected.

More than two months after security researchers released exploit code that steals money from Second Life users, residents of the virtual world remain vulnerable to similar hacks, the researchers say.

The exploit, which will be demonstrated for the first time on Saturday at the Shmoocon hacker conference in Washington, allows attackers to take control of user avatars, those custom-made cartoon character that travel through the Second Life universe. Attackers can then force the avatar to exclaim "I've been hacked" as they pilfer virtual currency, which can be transfered into real dollars.

The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia.

Prior to the demo, Second Life had been viewed as something of a benign place. It may have offered little more than scantily clad avatars selling lap dances and fuzzy animals congregating in discos, but it was largely viewed as a refuge from the web and email, where drive-by downloads and malicious attachments regularly turn PCs into mincemeat. Not anymore.

"In these virtual worlds, it's a whole new ballgame," says Charlie Miller, who developed the exploit along with Dino Dai Zovi. "How do you give a user information to stop that? It's counter to all the training people know right now about how to be safe."

Sadville's Sad Security

QuickTime exploits can be triggered anytime a Second Life resident passes onto a piece of virtual land controlled by an attacker, as long as a user has enabled a feature to view media. From then on, Second Life's client software will automatically activate QuickTime and open malicious links that are secretly embedded into the territory. Because music and video are such an integral part to the virtual experience, such links are a common occurrence.

Shortly after the demo was disclosed in late November, Linden Lab's Joe Miller counseled users to block the exploit by turning off video feeds. And, of course, he also advised them to install the QuickTime patch once it became available. Indeed, more recent versions of the Second Life client require users to have the most recent version of QuickTime in order to accept video feeds.

But so far, no one at the company has done anything to prevent similar un-patched vulnerabilities from exploiting Second Life users in the future.

"Second Life from a security perspective is horribly broken," says Greg Hogland, author of the book Exploiting Online Games: Cheating Massively Distributed Systems. "When you look at Second Life, you know in your bones they simply did not think about security when they developed this application. It's broken from the inside."

Second Life representatives declined to comment for this story.

I Hack Myself

For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine.

The exploit was also developed by Dino Dai Zovi, who turned heads last year when an exploit he spent about nine hours writing was able to fell a fully patched MacBook Pro.

Miller also says QuickTime is only one of the potentially vulnerable engines that the Second Life client depends on to render sound or video. Separate engines called fmod and Vivox, which are used to deliver sound effects and voice chat respectively, could also put users at risk.

To be fair, Second Life isn't much different than other 3-D environments. Bugs in games like Halo and World of Warcraft, for example, have allowed players to cheat. But the Second Life hack is notable given its connection to real economies and the interest companies such as AMD and IBM have shown in using the virtual world as a platform for transacting business.

"It's not obvious if I take over some random person's computer how I make money off that," Miller says. "Here, it's really easy to steal their money and cash it out."

And so far, he adds, Linden Labs seems to have no mechanism in place for detecting such heists.

"They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.