Hackers Find Second Life Vulnerability

December 1, 2007

Could virtual pickpockets separate your Second Life avatar from its in-game money, known as Lindens?

Dean Takahashi of the San Jose Mercury-News reports that a pair of white-hat hackers have identified an SL design flaw which allows a player's Lindens to be lifted. That's especially troubling because Lindens can easily be converted into real-world money.

Charles Miller (left) and Dino Dai Zovi discovered the vulnerability by exploiting a known issue with Apple's QuickTime video software. SL uses QuickTime to stream movies in-game. Said Dai Zovi:

It’s not kindergarten work, but this is pretty easy to do.

The hackers say that they could take over any avatar and remove all of its money and property. That represents a major threat to the players who make their living by creating and selling virtual goods within SL.

CNET's Daniel Terdiman, author of The Entrepreneur’s Guide to Second Life, told Takahashi:

Second Life does not have bank-like security, nor any guarantees that any inventory item, let alone Linden dollars, won’t disappear...

That said, the economy remains very stable and I haven’t heard of situations where people’s Linden dollar accounts have vanished... Still, as one business owner said to me when I was researching the book, you should always have a backup plan in case of a glitch that causes you to lose everything, because you never know what might happen.

Hacker Charles Miller said:

This all started when we were thinking about the intersection of virtual worlds and computer security. Banks clearly try to make their operations secure. Game companies haven’t thought about it the same way. They need to think more about security.

Miller notified Linden Lab about the flaw before announcing it. The company has notified SL residents but is apparently dependent upon Apple for a QuickTime fix.

Posted in Game Consumer News People Second Life Video Game Industry/Economics

Comments

Re: Hackers Find Second Life Vulnerability

Submitted by lonewolf (not verified) on Tue, 06/10/2008 - 14:05.

Hey, i'm getting the same message as RedSilver Auer

Your account has been disabled by Linden Lab.
Please Call 800-860-6990 during the hours of
9AM - 6PM PST, Monday - Friday.

both me and my younger brother have an account on SL, does this mean all my acc's in my application data file(users that i have logged on with recently) have all been hacked?

Thankyou

Submitted by Harry Miste (not verified) on Sun, 12/02/2007 - 19:12.

/b/ will be all over this.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 09:56.

I do commend the hackers for letting Linden labs know of this, however, Linden is doing a real disservice to their customers by banking on Apple noticing and fixing it.

Now that it's public, and bunch of idiots determined to get something for nothing will figure it out and try to abuse it.

Submitted by Ken (not verified) on Sat, 12/01/2007 - 10:25.

Big deal. Only idiots would think that Second Life money is real and make such a big fuss over it.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 10:30.

Actually, since Linden dollars do have real world value, it is in a sense real money being stolen

Submitted by Ben Ambroso (not verified) on Sat, 12/01/2007 - 10:33.

Uh, Second Life money IS real money. Linden Labs has set up a money transfer market that transfers in-game money (Lindens) to real world currency. Therefore, if you steal a couple character's money, you just go onto the Second Life website, and cash out. They send you the money back via check or PayPal. This was implemented due to everything being user created inside the game, instead of most games where all or atleast most of their in-game items are preset by the game itself.

So yes, this is a VERY big deal.

Submitted by DCOW (not verified) on Sat, 12/01/2007 - 11:05.

@ anyone using second life for business

get a real store

Submitted by RedSilver Auer (not verified) on Sat, 12/01/2007 - 11:11.

Greetings.

I've been hacked and lost my avatar. here is the message I have when I log in secondlife.com, now :

Your account has been disabled by Linden Lab.
Please Call 800-860-6990 during the hours of
9AM - 6PM PST, Monday - Friday.

Is there something I can do ?

Thanks.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 11:58.

@DCOW

Learn the costs of getting a real store and get back to us.

Submitted by BlackIce, Dragunov Marksman (not verified) on Sat, 12/01/2007 - 14:22.

Hannah! Watch your purse.

Submitted by CyberSkull (not verified) on Sat, 12/01/2007 - 22:10.

Apple has a decent history of patching security holes, we'll probably see another security update for QuickTime before the end of December.

Submitted by Loque (not verified) on Sat, 12/01/2007 - 22:50.

CyberSkull, $10 says apple doesn't care about a vulnerability that only affects second life.

Submitted by kurisu7885 (not verified) on Sun, 12/02/2007 - 21:31.

@Harry Miste

Shit. I jsut realized that .they'll be stealing shit left and right.

Shout box

ZippyDSMlee: sigh...was playing anice game of empire at war and then boom crash...hope new oparts come soon ><05/22/2012 - 1:17pm

Andrew Eisen: I still say the particular word or phrase the MPAA uses to describe what it's fighting against is the least of its problems.05/22/2012 - 1:12pm

ZippyDSMlee: MPAA finally admits piracy is not the same as stealing, kinda http://tinyurl.com/chtcf8p05/22/2012 - 11:55am

ddrfr33k: @EZK Bwahahaha! @Michael: Yeah, several news sources have said that google DNS can bypass the TPB roadblocks.05/22/2012 - 11:38am

Michael Chandra: Weird, I can still visit piratebay. Wonder if Google DNS is related to that, or I simply have an exotic ISP?05/22/2012 - 9:03am

Lisa Pham: No harm done, E. Zachary Knight. :)05/22/2012 - 4:50am

Uncharted NES: BSA Claims Half of PC Users Are Pirates- http://slashdot.org/palm/17/12/05/22/0051216_1.shtml05/21/2012 - 11:18pm

E. Zachary Knight: Ah. Missed that. My mind just connected DDR3 with ddrfr33k and ran with it. Oh well.05/21/2012 - 10:12pm

Lisa Pham: He also mentioned the game "Shadows of the damned" which is on PS305/21/2012 - 8:08pm

E. Zachary Knight: ddrf33k, I think Zip is referring to computer hardware.05/21/2012 - 7:33pm

ddrfr33k: @Zip: Excellent game. It's a trip.05/21/2012 - 7:09pm

Lisa Pham: IanC - if you read/looked at the report (PDF and written) then you'd see where they failed and why. Some games have come close to passing and some have passed. The list of games evaluated. http://www.reclaimyourgame.com/content.php/18-RYG-Evaluations05/21/2012 - 5:49pm

Andrew Eisen: Maybe I'll luck out and the Wii version won't have this retail exclusive DLC nonsense.05/21/2012 - 5:12pm

ZippyDSMlee: Bought new guitar...trying to find a nice DDR3/mobo combo under 200$ sicne I need new ram thats 100$....fun times..... picked up shadows of the damned tho!!05/21/2012 - 4:56pm

E. Zachary Knight: Yeah, that's how I feel about retail exclusive DLC too. ;)05/21/2012 - 3:37pm

RedMage: That's what I started to figure too. They seem to have trouble coming up with an effective scare tactic. At one point they referred to it as "online looting" which just sounds stupid.05/21/2012 - 3:34pm

E. Zachary Knight: Of all the sucky suckiness that ever sucked. Lego Batman 2 will suffer from sucky retailer exclusive DLC. Suck! http://tinyurl.com/ckq67vg05/21/2012 - 3:30pm

E. Zachary Knight: As for Dodd, I think it is mostly that he realizes that calling copyright infringement "theft" is bad for PR and that they need to change tactics. Just like how they went from using "piracy" to using "theft."05/21/2012 - 1:48pm

E. Zachary Knight: Ian, I think in this case, the rating is well deserved. To get a good rating, I would assume that a company would have to release the game with no DRM, or at least fully disclosed DRM.05/21/2012 - 1:46pm

IanC: Lisa - what do companies have to do to get a good rating from that site?05/21/2012 - 12:54pm

All shouts

<< Return To Top

Forgot your password?
Username :
Password :