Hackers Find Second Life Vulnerability

December 1, 2007 -

Could virtual pickpockets separate your Second Life avatar from its in-game money, known as Lindens?

Dean Takahashi of the San Jose Mercury-News reports that a pair of white-hat hackers have identified an SL design flaw which allows a player's Lindens to be lifted. That's especially troubling because Lindens can easily be converted into real-world money.

Charles Miller (left) and Dino Dai Zovi discovered the vulnerability by exploiting a known issue with Apple's QuickTime video software. SL uses QuickTime to stream movies in-game. Said Dai Zovi:

It’s not kindergarten work, but this is pretty easy to do.

The hackers say that they could take over any avatar and remove all of its money and property. That represents a major threat to the players who make their living by creating and selling virtual goods within SL.

CNET's Daniel Terdiman, author of The Entrepreneur’s Guide to Second Life, told Takahashi:

Second Life does not have bank-like security, nor any guarantees that any inventory item, let alone Linden dollars, won’t disappear...

That said, the economy remains very stable and I haven’t heard of situations where people’s Linden dollar accounts have vanished... Still, as one business owner said to me when I was researching the book, you should always have a backup plan in case of a glitch that causes you to lose everything, because you never know what might happen.

Hacker Charles Miller said:

This all started when we were thinking about the intersection of virtual worlds and computer security. Banks clearly try to make their operations secure. Game companies haven’t thought about it the same way. They need to think more about security.

Miller notified Linden Lab about the flaw before announcing it. The company has notified SL residents but is apparently dependent upon Apple for a QuickTime fix.

Posted in

Comments

Re: Hackers Find Second Life Vulnerability

Submitted by lonewolf (not verified) on Tue, 06/10/2008 - 13:05.

Hey, i'm getting the same message as RedSilver Auer

Your account has been disabled by Linden Lab.
Please Call 800-860-6990 during the hours of
9AM - 6PM PST, Monday - Friday.

both me and my younger brother have an account on SL, does this mean all my acc's in my application data file(users that i have logged on with recently) have all been hacked?

Thankyou

Submitted by Harry Miste (not verified) on Sun, 12/02/2007 - 18:12.

/b/ will be all over this.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 08:56.

I do commend the hackers for letting Linden labs know of this, however, Linden is doing a real disservice to their customers by banking on Apple noticing and fixing it.

Now that it's public, and bunch of idiots determined to get something for nothing will figure it out and try to abuse it.

Submitted by Ken (not verified) on Sat, 12/01/2007 - 09:25.

Big deal. Only idiots would think that Second Life money is real and make such a big fuss over it.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 09:30.

Actually, since Linden dollars do have real world value, it is in a sense real money being stolen

Submitted by Ben Ambroso (not verified) on Sat, 12/01/2007 - 09:33.

Uh, Second Life money IS real money. Linden Labs has set up a money transfer market that transfers in-game money (Lindens) to real world currency. Therefore, if you steal a couple character's money, you just go onto the Second Life website, and cash out. They send you the money back via check or PayPal. This was implemented due to everything being user created inside the game, instead of most games where all or atleast most of their in-game items are preset by the game itself.

So yes, this is a VERY big deal.

Submitted by DCOW (not verified) on Sat, 12/01/2007 - 10:05.

@ anyone using second life for business

get a real store

Submitted by RedSilver Auer (not verified) on Sat, 12/01/2007 - 10:11.

Greetings.

I've been hacked and lost my avatar. here is the message I have when I log in secondlife.com, now :

Your account has been disabled by Linden Lab.
Please Call 800-860-6990 during the hours of
9AM - 6PM PST, Monday - Friday.

Is there something I can do ?

Thanks.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 10:58.

@DCOW

Learn the costs of getting a real store and get back to us.

Submitted by BlackIce, Dragunov Marksman (not verified) on Sat, 12/01/2007 - 13:22.

Hannah! Watch your purse.

Submitted by CyberSkull (not verified) on Sat, 12/01/2007 - 21:10.

Apple has a decent history of patching security holes, we'll probably see another security update for QuickTime before the end of December.

Submitted by Loque (not verified) on Sat, 12/01/2007 - 21:50.

CyberSkull, $10 says apple doesn't care about a vulnerability that only affects second life.

Submitted by kurisu7885 (not verified) on Sun, 12/02/2007 - 20:31.

@Harry Miste

Shit. I jsut realized that .they'll be stealing shit left and right.

Shout box

Andrew Eisen: Michael Chandra - Unless I overlooked it, we haven't seen how the directive to not talk about whatever he wasn't supposed to talk about was phrased so it’s hard to say if it could have been misconstrued as a suggestion or not.10/20/2014 - 12:35pm

Andrew Eisen: Hey, the second to last link is the relevant one! He actually did say "let them suffer." Although, he didn't say it to the other person he was bickering with.10/20/2014 - 12:29pm

Neo_DrKefka: https://archive.today/F14zZ https://archive.today/SxFas https://archive.today/1upoI https://archive.today/0hu7i https://archive.today/NsPUC https://archive.today/fLTQv https://archive.today/Wpz8S10/20/2014 - 11:21am

Andrew Eisen: Neo_DrKefka - "Attacking"? Interesting choice of words. Also interesting that you quoted something that wasn't actually said. Leaving out a relevant link, are you?10/20/2014 - 11:04am

quiknkold: ugh. I want to know why the hell Mozerella Sticks are 4 dollars at my works cafeteria...are they cooked in Truffle Oil?10/20/2014 - 10:41am

Neo_DrKefka: Anti-Gamergate supporter Robert Caruso attacks female GamerGate supporter by also attacking another cause she support which is the situation happening in Syia “LET SYRIANS SUFFER” https://archive.today/F14zZ https://archive.today/Wpz8S10/20/2014 - 10:18am

Neo_DrKefka: That is correct in an At-Will state you or the employer can part ways at any time. However Florida also has laws on the books about "Wrongful combinations against workers" http://www.flsenate.gov/Laws/Statutes/2012/448.04510/20/2014 - 10:07am

james_fudge: he'd die if he couldn't talk about Wii U :)10/20/2014 - 9:16am

Michael Chandra: By the way, I am not saying Andrew should stop talking about Wii-U. I find it quite nice. :)10/20/2014 - 8:53am

Michael Chandra: 'How dare he ignore my wishes and my advice! I am his boss! I could have ordered him but I should be able to say it's advice rather than ordering him directly!'10/20/2014 - 8:52am

Michael Chandra: If GP goes "EZK, do not talk about X publicly for a week, we're preparing a big article on it" and he still tweets about X, they'd have a legitimate reason to be pissed.10/20/2014 - 8:52am

Michael Chandra: If GP tells Andrew "we'd kinda prefer it if you stopped talking about Wii-U for 1 week" and he'd tweet about it anyway, firing him for it would be idiotic.10/20/2014 - 8:51am

Michael Chandra: Legal right, sure. But that doesn't make it any less pathetic of an excuse.10/20/2014 - 8:50am

ZippyDSMlee: You mean right to fire states.10/20/2014 - 8:50am

james_fudge: some states have "at will" employee laws10/20/2014 - 7:50am

quiknkold: It says in the article that being in florida, you can get fired regardless if its a fireable offence10/20/2014 - 7:19am

Michael Chandra: If your employee respectfully disagrees with your advice, that's not a fireable offense. If they ignore your order, THEN you have the right to be pissed.10/20/2014 - 6:49am

Michael Chandra: I... Don't get one thing. If you do not want your employee to do X, why do you tell them it's advice or a wish? Give them a damn order.10/20/2014 - 6:48am

james_fudge: A leak that had me worried about being swatted by Lizard Squad.10/20/2014 - 6:03am

james_fudge: It should be noted that the author leaked the GJP group names online10/20/2014 - 6:03am

All shouts

<< Return To Top

Forgot your password?
Username :
Password :