Hackers Find Second Life Vulnerability

December 1, 2007
Could virtual pickpockets separate your Second Life avatar from its in-game money, known as Lindens?

Dean Takahashi of the San Jose Mercury-News reports that a pair of white-hat hackers have identified an SL design flaw which allows a player's Lindens to be lifted. That's especially troubling because Lindens can easily be converted into real-world money.

Charles Miller (left) and Dino Dai Zovi discovered the vulnerability by exploiting a known issue with Apple's QuickTime video software. SL uses QuickTime to stream movies in-game. Said Dai Zovi:
It’s not kindergarten work, but this is pretty easy to do.

The hackers say that they could take over any avatar and remove all of its money and property. That represents a major threat to the players who make their living by creating and selling virtual goods within SL.  

CNET's Daniel Terdiman, author of The Entrepreneur’s Guide to Second Life, told Takahashi:
Second Life does not have bank-like security, nor any guarantees that any inventory item, let alone Linden dollars, won’t disappear...

That said, the economy remains very stable and I haven’t heard of situations where people’s Linden dollar accounts have vanished... Still, as one business owner said to me when I was researching the book, you should always have a backup plan in case of a glitch that causes you to lose everything, because you never know what might happen. 

Hacker Charles Miller said:
This all started when we were thinking about the intersection of virtual worlds and computer security. Banks clearly try to make their operations secure. Game companies haven’t thought about it the same way. They need to think more about security.

Miller notified Linden Lab about the flaw before announcing it. The company has notified SL residents but is apparently dependent upon Apple for a QuickTime fix.

Comments

Re: Hackers Find Second Life Vulnerability

Submitted by lonewolf (not verified) on Tue, 06/10/2008 - 13:05.

Hey, i'm getting the same message as RedSilver Auer

Your account has been disabled by Linden Lab.
Please Call 800-860-6990 during the hours of
9AM - 6PM PST, Monday - Friday.
 

both me and my younger brother have an account on SL, does this mean all my acc's in my application data file(users that i have logged on with recently) have all been hacked?

Thankyou

Submitted by Harry Miste (not verified) on Sun, 12/02/2007 - 18:12.
/b/ will be all over this.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 08:56.
I do commend the hackers for letting Linden labs know of this, however, Linden is doing a real disservice to their customers by banking on Apple noticing and fixing it.

Now that it's public, and bunch of idiots determined to get something for nothing will figure it out and try to abuse it.

Submitted by Ken (not verified) on Sat, 12/01/2007 - 09:25.
Big deal. Only idiots would think that Second Life money is real and make such a big fuss over it.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 09:30.
Actually, since Linden dollars do have real world value, it is in a sense real money being stolen

Submitted by Ben Ambroso (not verified) on Sat, 12/01/2007 - 09:33.
Uh, Second Life money IS real money. Linden Labs has set up a money transfer market that transfers in-game money (Lindens) to real world currency. Therefore, if you steal a couple character's money, you just go onto the Second Life website, and cash out. They send you the money back via check or PayPal. This was implemented due to everything being user created inside the game, instead of most games where all or atleast most of their in-game items are preset by the game itself.

So yes, this is a VERY big deal.

Submitted by DCOW (not verified) on Sat, 12/01/2007 - 10:05.
@ anyone using second life for business

get a real store

Submitted by RedSilver Auer (not verified) on Sat, 12/01/2007 - 10:11.
Greetings.

I've been hacked and lost my avatar. here is the message I have when I log in secondlife.com, now :

Your account has been disabled by Linden Lab.
Please Call 800-860-6990 during the hours of
9AM - 6PM PST, Monday - Friday.

Is there something I can do ?

Thanks.

Submitted by kurisu7885 (not verified) on Sat, 12/01/2007 - 10:58.
@DCOW

Learn the costs of getting a real store and get back to us.

Submitted by BlackIce, Dragunov Marksman (not verified) on Sat, 12/01/2007 - 13:22.
Hannah! Watch your purse.

Submitted by CyberSkull (not verified) on Sat, 12/01/2007 - 21:10.
Apple has a decent history of patching security holes, we'll probably see another security update for QuickTime before the end of December.

Submitted by Loque (not verified) on Sat, 12/01/2007 - 21:50.
CyberSkull, $10 says apple doesn't care about a vulnerability that only affects second life.

Submitted by kurisu7885 (not verified) on Sun, 12/02/2007 - 20:31.
@Harry Miste

Shit. I jsut realized that .they'll be stealing shit left and right.
 
Forgot your password?
Username :
Password :

Poll

Are you excited for the Xbox One?:

Shout box

You're not permitted to post shouts.
DorthLousI love how she plays the "I'm a parent, you're a gamer, you couldn't understand" card... I'm a parent and I find her position despicable...05/23/2013 - 4:16pm
E. Zachary KnightShe didn't address your questions because she doesn't have any answers.05/23/2013 - 3:38pm
Andrew EisenI replied to her comment. Maybe in a few weeks I'll get a reply.05/23/2013 - 3:24pm
Thomas Riordan@Andrew Eisen To what bowling alley does she go that puts sexual images in the faces of 6 year olds?05/23/2013 - 3:17pm
Andrew EisenWell, it took a month but Linda Stender finally replied to me... and didn't address a single one of my questions. http://aswlindastender.com/2013/04/23/follow-up-video-games-and-their-effect-on-children/05/23/2013 - 3:13pm
ImautobotAlso, from a tech perspective the PS4 is apparently already winning. http://bgr.com/2013/05/22/xbox-one-vs-playstation-4-specs/05/23/2013 - 3:12pm
ImautobotSony's PS4 motto should be "We play games." Microsoft's should be "We play games, when we're not rewinding your tapes."05/23/2013 - 3:11pm
Andrew EisenOh look, Dying Light was just announced For Everything But Wii U. That's 73.05/23/2013 - 2:06pm
james_fudgeZippy: they said the same thing about Cell. How did that turn out.05/23/2013 - 1:28pm
Andrew EisenNeed for Speed Rivals is coming out For Everything But Wii U - PS3, 360, PC, PS4 and Xbox One. That brings the grand total up to 72.05/23/2013 - 12:55pm
PHX Corphttp://wiiudaily.com/2013/05/microsoft-is-selling-the-wii-u-better-than-nintendo/ Wii U daily Opinion: Microsoft is selling the Wii U better than Nintendo05/23/2013 - 12:23pm
E. Zachary KnightZippy, they very well may be. But that will only last until they are released. At that time, they will be two generations behind.05/23/2013 - 11:14am
ZippyDSMleefor a good luagh, http://www.escapistmagazine.com/news/view/124288-EA-Exec-Xbox-One-and-PS4-Are-A-Generation-Ahead-Of-PC05/23/2013 - 10:55am
james_fudgeIt's about time! I need W805/23/2013 - 10:49am
MaskedPixelanteLooks like Gamepot is more willing to play ball than Square Enix. Wizardry 6+7 and 8 are available on GOG.05/23/2013 - 10:36am
DorthLousAnybody tried Hiversaire? Thoughts?05/22/2013 - 5:48pm
E. Zachary KnightNew Humble Bundle Weekly Sale. Alan Wake: https://www.humblebundle.com/weekly No Linux or Mac support. :(05/22/2013 - 1:46pm
E. Zachary KnightMicrosoft talks about the lack of backward compatability. You're backwards. http://www.gamasutra.com/view/news/192801/If_youre_backwards_compatible_youre_really_backwards.php05/22/2013 - 1:39pm
E. Zachary KnightThat is absolutely nuts there. As bad an experience XBox Indie Games was, the problems weren't with the self published side of things. Forcing a publisher onto independent studios is not going to help.05/22/2013 - 10:43am
MaskedPixelantehttp://www.eurogamer.net/articles/2013-05-22-microsoft-wont-let-indies-self-publish-on-xbox-one And the hits just keep on coming.05/22/2013 - 9:20am
All shouts
 

Be Heard - Contact Your Politician