The San Jose Mercury News exposed a Second Life exploit this weekend in which your avatar can be taken over and remote controlled. A demonstration of this technique shows an avatar walking within 100 ft of a malicious object, and the avatar losing L$ to the object. They also say that inventory items can be transferred using the same technique.
The exploit is detailed in this blog post at the San Jose Mercury News website (Lame Alert: The editor of the blog post included a screenshot from Sony Home in a post on Second Life<LOL>):
The article explains how the hack works:
“The hack works because Second Life allows users to embed videos or pictures in their virtual property. When a virtual character passes by an infected object planted by the hackers, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the Second Life software to a Web site. By exploiting the flaw in QuickTime, the hackers can direct the Second Life software to a malicious Web site that then allows them to take over the avatar and force it to hand over its Linden cash.”
From the looks of it, this is a pretty serious security flaw, one that raises questions about the way the Second Life client is secured. While the San Jose Mercury post goes into depth as to how this exploit works, the “official” Second Life Blog goes very light on details and heavy on blame:
The post on the “official” Second Life blog explains the problem as:
“We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.”
This explanation does not alert the resident that the main exploit of the hack is to steal their L$ and/or inventory. Even in explaining the actions they will take, they do not state that L$ or objects are at risk:
“We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.”
A Malicious stream? How about “STOLEN L$”?!? That might make it a bit clearer to residents exactly what’s at risk here. As with any proof of concept, this exploit has not been shown to be loose in the wild yet. But now that these stories are out on the web, I am sure there are more than a few hackers focusing their attention on the HTML redirect of Quicktime, and it likely will be a lot easier to reproduce the hack knowing the exact vector of the exploit (courtesy of these reports).
I am not sure what is more disturbing, that this type of exploit can be executed via a malicious webpage inserted into the redirect of Quicktime, or that Linden Lab is tap dancing around the story and not getting their residents immediate attention by alerting them that their L$ and inventories are at risk. Their only advice for now is:
“At this time we advise that you disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue. To do this, just open the Preferences dialog, and uncheck the “Play Streaming Video When Available” checkbox on the “Audio & Video” tab.”
The thing that is even more unsettling is that this exploit relies on the client being redirected to a malicious website. And as Linden Lab has pointed out, the flaw that allows the client to be redirected is a flaw entirely contained within Quicktime. I am aware of many other objects in Second Life that access data out on the web. What exactly is the flaw that allows for a malicious website to take control of an avatar and allow for L$ and inventory to be transferred? I suspect this is not unique to Quicktime, and that all that is required is that the current Second Life client be redirected to the malicious website for the exploit to be executed. Might this also be why we have not seen browsers on prims in Second Life yet?
If(?) this is true, is this really an accurate statement made on the “official” Second Life blog:
“The bug is in QuickTime, and not in the Second Life viewer. When Apple has submitted a fix, we will integrate it into the viewer as quickly as possible, and will notify everyone once this has been done.”
I wrote a post a few weeks back about the lack of communications form Linden Lab to their users. The post was in reference to the login issues and stability issues over a few week period. This is a far more serious problem, and one that is again not getting the attention or detail necessary to alert the residents to their risk. If (and this is a big “IF” given the lack of information) the client can be compromised by user object access to malicious websites, we have a much more serious issue on our hands.
Let’s hope we get more information as we move through the coming week.