Sadville insecurity invites pickpockets

'All your Lindens are belong to us'

5 things you didn’t know about cloud backup

This story was updated to correct information about how QuickTime vulnerabilities are exploited in Second Life. An option for viewing media must first be selected.

More than two months after security researchers released exploit code that steals money from Second Life users, residents of the virtual world remain vulnerable to similar hacks, the researchers say.

The exploit, which will be demonstrated for the first time on Saturday at the Shmoocon hacker conference in Washington, allows attackers to take control of user avatars, those custom-made cartoon character that travel through the Second Life universe. Attackers can then force the avatar to exclaim "I've been hacked" as they pilfer virtual currency, which can be transfered into real dollars.

The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia.

Prior to the demo, Second Life had been viewed as something of a benign place. It may have offered little more than scantily clad avatars selling lap dances and fuzzy animals congregating in discos, but it was largely viewed as a refuge from the web and email, where drive-by downloads and malicious attachments regularly turn PCs into mincemeat. Not anymore.

"In these virtual worlds, it's a whole new ballgame," says Charlie Miller, who developed the exploit along with Dino Dai Zovi. "How do you give a user information to stop that? It's counter to all the training people know right now about how to be safe."

Sadville's Sad Security

QuickTime exploits can be triggered anytime a Second Life resident passes onto a piece of virtual land controlled by an attacker, as long as a user has enabled a feature to view media. From then on, Second Life's client software will automatically activate QuickTime and open malicious links that are secretly embedded into the territory. Because music and video are such an integral part to the virtual experience, such links are a common occurrence.

Shortly after the demo was disclosed in late November, Linden Lab's Joe Miller counseled users to block the exploit by turning off video feeds. And, of course, he also advised them to install the QuickTime patch once it became available. Indeed, more recent versions of the Second Life client require users to have the most recent version of QuickTime in order to accept video feeds.

But so far, no one at the company has done anything to prevent similar un-patched vulnerabilities from exploiting Second Life users in the future.

"Second Life from a security perspective is horribly broken," says Greg Hogland, author of the book Exploiting Online Games: Cheating Massively Distributed Systems. "When you look at Second Life, you know in your bones they simply did not think about security when they developed this application. It's broken from the inside."

Second Life representatives declined to comment for this story.

I Hack Myself

For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine.

The exploit was also developed by Dino Dai Zovi, who turned heads last year when an exploit he spent about nine hours writing was able to fell a fully patched MacBook Pro.

Miller also says QuickTime is only one of the potentially vulnerable engines that the Second Life client depends on to render sound or video. Separate engines called fmod and Vivox, which are used to deliver sound effects and voice chat respectively, could also put users at risk.

To be fair, Second Life isn't much different than other 3-D environments. Bugs in games like Halo and World of Warcraft, for example, have allowed players to cheat. But the Second Life hack is notable given its connection to real economies and the interest companies such as AMD and IBM have shown in using the virtual world as a platform for transacting business.

"It's not obvious if I take over some random person's computer how I make money off that," Miller says. "Here, it's really easy to steal their money and cash it out."

And so far, he adds, Linden Labs seems to have no mechanism in place for detecting such heists.

"They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.