Second Life Forums Archive - URGENT! LL security exploit

Joshua Nightshade

Registered dragon

Join date: 12 Oct 2004

Posts: 1,337

09-08-2006 10:10

I'm breaking the hiatus just to let you guys all know:

http://blog.secondlife.com/2006/09/08/urgent-security-announcement/

::returns to the void.::

_____________________

Visit in-world:
http://tinyurl.com/2zy63d

http://shop.onrez.com/Joshua_Nightshade
http://joshuameadows.com/

Wrom Morrison

Validated User

Join date: 15 Apr 2006

Posts: 462

09-08-2006 10:11

Yeah dude and what's funny is this :

Comments Off

Yeah you can't post anything on that blog entry.

_____________________

Content creators, please check this feature proposal. The aim of this proposal is to end re-sale rip-offs. (Also benefits freebie makers).

Finning Widget

No Ravens in my Mailbox

Join date: 27 Feb 2006

Posts: 591

09-08-2006 10:12

From: Wrom Morrison

Yeah dude and what's funny is this :

Comments Off

Yeah you can't post anything on that blog entry.

SHUT UP AND GET TO CHANGIN YA PASSWORD ALREADY

Tripper Tapioca

Stizzy

Join date: 15 Oct 2004

Posts: 48

09-08-2006 10:12

Yeah, they just made me change my password. I'll never remember it.

Phedre Aquitaine

I am the zombie queen

Join date: 26 Jan 2006

Posts: 1,157

09-08-2006 10:12

The words "oh, for FUCK'S sake" spring to mind.

_____________________

From: Billybob Goodliffe

everyone loves phedre
(excluding chickens), its in the TOS

Xplorer Cannoli

Cache Cleaner

Join date: 18 Sep 2005

Posts: 1,131

09-08-2006 10:13

Anybody wanna bet how this is going over well? Considering 100's have probably forgotten their security question answer.

Xplorer

Chronic Skronski

SL Live Musician

Join date: 23 Jun 2006

Posts: 997

09-08-2006 10:13

I noticed the comments being off, too. Good thing, otherwise that page would quickly fill with screaming and blaming, burying otherwise useful information.

What I am wondering - what is going to happen to the people whose email accounts with which they signed up no longer exist? 'Cause you KNOW there are going to be lots.

_____________________

A man without religion is like a fish without a bicycle.

Joshua Nightshade

Registered dragon

Join date: 12 Oct 2004

Posts: 1,337

09-08-2006 10:15

From: Xplorer Cannoli

Anybody wanna bet how this is going over well? Considering 100's have probably forgotten their security question answer.

Xplorer

Yeah, I actually had a really hard time with it.

I don't put legitimate answers into those security questions. My life's a pretty open book and if someone who knows me were determined to do something it's not very hard to find the answers to pretty much any question about me that isn't something you'd see on a bank loan application.

Street you grew up on? Sheesh.

_____________________

Visit in-world:
http://tinyurl.com/2zy63d

http://shop.onrez.com/Joshua_Nightshade
http://joshuameadows.com/

Wrom Morrison

Validated User

Join date: 15 Apr 2006

Posts: 462

09-08-2006 10:16

Two days ago there were a buch of posts about people who got their accounts hacked, this must be that.

_____________________

Content creators, please check this feature proposal. The aim of this proposal is to end re-sale rip-offs. (Also benefits freebie makers).

Travis Lambert

White dog, red collar

Join date: 3 Jun 2004

Posts: 2,819

09-08-2006 10:18

This is a really, really bad day to be working in Support at Linden Labs.

_____________________

------------------
The Shelter

The Shelter is a non-profit recreation center for new residents, and supporters of new residents. Our goal is to provide a positive & supportive social environment for those looking for one in our overwhelming world.

Margaret Mfume

I.C.

Join date: 30 Dec 2004

Posts: 2,492

What is "show us your cocks"?

09-08-2006 10:20

Josh's password.

_____________________

hush

0mega Pixel

Registered User

Join date: 28 Jan 2006

Posts: 47

locked

09-08-2006 10:22

yea i couldnt remeber what i put as my security question either, damnit what can be done?

Athena Sterling

Voided Earthing

Join date: 1 May 2006

Posts: 186

09-08-2006 10:22

ROTF!!...

just think of how many greifer accounts just became unsable! everyone who signed up with a fake email has just lost there accounts.

LL +1 / Greifers 0

However... Hope no one legit gets screwed by this.

_____________________

Solo Junkies Skybox ( secondlife://Solo Junkies/192/192/ ) : The oldest and largest solo based gaming arcade for a reason, pure and simple honesty...

Joshua Nightshade

Registered dragon

Join date: 12 Oct 2004

Posts: 1,337

09-08-2006 10:23

From: Margaret Mfume

Josh's password.

bitch.

_____________________

Visit in-world:
http://tinyurl.com/2zy63d

http://shop.onrez.com/Joshua_Nightshade
http://joshuameadows.com/

Joshua Nightshade

Registered dragon

Join date: 12 Oct 2004

Posts: 1,337

09-08-2006 10:24

/139/cb/135851/1.html#post1275880

_____________________

Visit in-world:
http://tinyurl.com/2zy63d

http://shop.onrez.com/Joshua_Nightshade
http://joshuameadows.com/

Yiffy Yaffle

Purple SpiritWolf Mystic

Join date: 22 Oct 2004

Posts: 2,802

09-08-2006 10:24

I have like a lot of alts lol... *cries knowing it will take all day* Not only do i have to validate passwords, but emails addresses too. Not all using real ones </CONFESSION!!!>... Oh well, atleast they protected our accounts from further damages. Sorry to hear about all those who were hacked over this. My heart goes out to you.

EDIT: Shit.. well thats a bunch of unverified accounts lost.. I didnt use real email addresses for them now i cant even change the passwords.

_____________________

YouTube channel -+- Website -+- RezzedNet Profile

Lord Sullivan

DTC at all times :)

Join date: 15 Dec 2005

Posts: 2,870

09-08-2006 10:25

Thank you for coming outa hibernation

_____________________

Independent Shopping for Second Life residents from established and new merchants.

http://slapt.me

slapt.me - In-World HQ http://slurl.com/secondlife/Bastet/123/118/26

Kimberly Casanova

Meh.

Join date: 24 May 2004

Posts: 787

09-08-2006 10:25

Changed my password twice, keeps telling me to change it. Is this happening to anyone else?

_____________________

Kimmers

http://www.kimberly-casanova.blogspot.com/

Burke Prefect

Cafe Owner, Superhero

Join date: 29 Oct 2004

Posts: 2,785

09-08-2006 10:27

Hooah to LL for getting on this and taking needed actions (if slight overkill) to block trouble before it hits.

_____________________

My Blog | My Board | My Cafe| My Slex

Dale Glass

Evil Scripter

Join date: 12 Feb 2006

Posts: 252

09-08-2006 10:27

From: Joshua Nightshade

Yeah, I actually had a really hard time with it.

I don't put legitimate answers into those security questions. My life's a pretty open book and if someone who knows me were determined to do something it's not very hard to find the answers to pretty much any question about me that isn't something you'd see on a bank loan application.

Hehe, indeed. Reminds me a lot of this strip

Lorelei Patel

was here

Join date: 22 Feb 2004

Posts: 1,940

09-08-2006 10:27

LOL

I so expected last-day pranks that I didn't believe this until I went to the Linden Announcements section to verify it.

Would have been a great end-of-the-forums prank, though, tricking everyone into changing their password.

_____________________

============
Broadly offensive.

Lewis Nerd

Nerd by name and nature!

Join date: 9 Oct 2005

Posts: 3,431

09-08-2006 10:28

They waited TWO FREAKIN DAYS TO TELL US???????

My god.... that's outrageous.

Lewis

_____________________

Second Life Stratics - your new premier resource for all things Second Life. Free to join, sign up today!

Pocket Protector Projects - Rosieri 90,234,84 - building and landscaping services

Jillian Callahan

Rotary-winged Neko Girl

Join date: 24 Jun 2004

Posts: 3,766

09-08-2006 10:28

Just a warning: Due to more brilliant programming, the change password page will allow you to choose a password that is longer than the login page will accept.

I didn't count, but it looks like it's 16 characters max, or so.

_____________________

Amber Stonecutter

Bruxing Babe

Join date: 13 Sep 2005

Posts: 296

09-08-2006 10:30

. . . wtf.

Tuach Noh

Ignorant Knowlessman

Join date: 2 Aug 2006

Posts: 79

09-08-2006 10:30

I would like to know why they were storing cleartext passwords in the first place, as opposed to hashed passwords. There is simply no good reason to do that.

Of course it may be that the passwords *are* hashed and they just want to prevent a dictionary attack against all the morons who used "password" as their password.

I word further like to know why the passwords are somehow less secure than the (presumably) cleartext answer to the security question, which might also be inferrable from the person's personal information.

In other words: After you finish changing your password, change your security question and answer too, just to be on the safe side.

URGENT! LL security exploit
Joshua Nightshade Registered dragon Join date: 12 Oct 2004 Posts: 1,337	09-08-2006 10:10 I'm breaking the hiatus just to let you guys all know: http://blog.secondlife.com/2006/09/08/urgent-security-announcement/ ::returns to the void.:: _____________________ Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/
Wrom Morrison Validated User Join date: 15 Apr 2006 Posts: 462	09-08-2006 10:11 Yeah dude and what's funny is this : Comments Off Yeah you can't post anything on that blog entry. _____________________ Content creators, please check this feature proposal. The aim of this proposal is to end re-sale rip-offs. (Also benefits freebie makers).
Finning Widget No Ravens in my Mailbox Join date: 27 Feb 2006 Posts: 591	09-08-2006 10:12 From: Wrom Morrison Yeah dude and what's funny is this : Comments Off Yeah you can't post anything on that blog entry. SHUT UP AND GET TO CHANGIN YA PASSWORD ALREADY
Tripper Tapioca Stizzy Join date: 15 Oct 2004 Posts: 48	09-08-2006 10:12 Yeah, they just made me change my password. I'll never remember it.
Phedre Aquitaine I am the zombie queen Join date: 26 Jan 2006 Posts: 1,157	09-08-2006 10:12 The words "oh, for FUCK'S sake" spring to mind. _____________________ From: Billybob Goodliffe everyone loves phedre (excluding chickens), its in the TOS
Xplorer Cannoli Cache Cleaner Join date: 18 Sep 2005 Posts: 1,131	09-08-2006 10:13 Anybody wanna bet how this is going over well? Considering 100's have probably forgotten their security question answer. Xplorer
Chronic Skronski SL Live Musician Join date: 23 Jun 2006 Posts: 997	09-08-2006 10:13 I noticed the comments being off, too. Good thing, otherwise that page would quickly fill with screaming and blaming, burying otherwise useful information. What I am wondering - what is going to happen to the people whose email accounts with which they signed up no longer exist? 'Cause you KNOW there are going to be lots. _____________________ A man without religion is like a fish without a bicycle.
Joshua Nightshade Registered dragon Join date: 12 Oct 2004 Posts: 1,337	09-08-2006 10:15 From: Xplorer Cannoli Anybody wanna bet how this is going over well? Considering 100's have probably forgotten their security question answer. Xplorer Yeah, I actually had a really hard time with it. I don't put legitimate answers into those security questions. My life's a pretty open book and if someone who knows me were determined to do something it's not very hard to find the answers to pretty much any question about me that isn't something you'd see on a bank loan application. Street you grew up on? Sheesh. _____________________ Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/
Wrom Morrison Validated User Join date: 15 Apr 2006 Posts: 462	09-08-2006 10:16 Two days ago there were a buch of posts about people who got their accounts hacked, this must be that. _____________________ Content creators, please check this feature proposal. The aim of this proposal is to end re-sale rip-offs. (Also benefits freebie makers).
Travis Lambert White dog, red collar Join date: 3 Jun 2004 Posts: 2,819	09-08-2006 10:18 This is a really, really bad day to be working in Support at Linden Labs. _____________________ ------------------ The Shelter The Shelter is a non-profit recreation center for new residents, and supporters of new residents. Our goal is to provide a positive & supportive social environment for those looking for one in our overwhelming world.
Margaret Mfume I.C. Join date: 30 Dec 2004 Posts: 2,492	What is "show us your cocks"? 09-08-2006 10:20 Josh's password. _____________________ hush
0mega Pixel Registered User Join date: 28 Jan 2006 Posts: 47	locked 09-08-2006 10:22 yea i couldnt remeber what i put as my security question either, damnit what can be done?
Athena Sterling Voided Earthing Join date: 1 May 2006 Posts: 186	09-08-2006 10:22 ROTF!!... just think of how many greifer accounts just became unsable! everyone who signed up with a fake email has just lost there accounts. LL +1 / Greifers 0 However... Hope no one legit gets screwed by this. _____________________ Solo Junkies Skybox ( secondlife://Solo Junkies/192/192/ ) : The oldest and largest solo based gaming arcade for a reason, pure and simple honesty...
Joshua Nightshade Registered dragon Join date: 12 Oct 2004 Posts: 1,337	09-08-2006 10:23 From: Margaret Mfume Josh's password. bitch. _____________________ Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/
Joshua Nightshade Registered dragon Join date: 12 Oct 2004 Posts: 1,337	09-08-2006 10:24 /139/cb/135851/1.html#post1275880 _____________________ Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/
Yiffy Yaffle Purple SpiritWolf Mystic Join date: 22 Oct 2004 Posts: 2,802	09-08-2006 10:24 I have like a lot of alts lol... cries knowing it will take all day Not only do i have to validate passwords, but emails addresses too. Not all using real ones </CONFESSION!!!>... Oh well, atleast they protected our accounts from further damages. Sorry to hear about all those who were hacked over this. My heart goes out to you. EDIT: Shit.. well thats a bunch of unverified accounts lost.. I didnt use real email addresses for them now i cant even change the passwords. _____________________ YouTube channel -+- Website -+- RezzedNet Profile
Lord Sullivan DTC at all times :) Join date: 15 Dec 2005 Posts: 2,870	09-08-2006 10:25 Thank you for coming outa hibernation _____________________ Independent Shopping for Second Life residents from established and new merchants. http://slapt.me slapt.me - In-World HQ http://slurl.com/secondlife/Bastet/123/118/26
Kimberly Casanova Meh. Join date: 24 May 2004 Posts: 787	09-08-2006 10:25 Changed my password twice, keeps telling me to change it. Is this happening to anyone else? _____________________ Kimmers http://www.kimberly-casanova.blogspot.com/
Burke Prefect Cafe Owner, Superhero Join date: 29 Oct 2004 Posts: 2,785	09-08-2006 10:27 Hooah to LL for getting on this and taking needed actions (if slight overkill) to block trouble before it hits. _____________________ My Blog \| My Board \| My Cafe\| My Slex
Dale Glass Evil Scripter Join date: 12 Feb 2006 Posts: 252	09-08-2006 10:27 From: Joshua Nightshade Yeah, I actually had a really hard time with it. I don't put legitimate answers into those security questions. My life's a pretty open book and if someone who knows me were determined to do something it's not very hard to find the answers to pretty much any question about me that isn't something you'd see on a bank loan application. Hehe, indeed. Reminds me a lot of this strip
Lorelei Patel was here Join date: 22 Feb 2004 Posts: 1,940	09-08-2006 10:27 LOL I so expected last-day pranks that I didn't believe this until I went to the Linden Announcements section to verify it. Would have been a great end-of-the-forums prank, though, tricking everyone into changing their password. _____________________ ============ Broadly offensive.
Lewis Nerd Nerd by name and nature! Join date: 9 Oct 2005 Posts: 3,431	09-08-2006 10:28 They waited TWO FREAKIN DAYS TO TELL US??????? My god.... that's outrageous. Lewis _____________________ Second Life Stratics - your new premier resource for all things Second Life. Free to join, sign up today! Pocket Protector Projects - Rosieri 90,234,84 - building and landscaping services
Jillian Callahan Rotary-winged Neko Girl Join date: 24 Jun 2004 Posts: 3,766	09-08-2006 10:28 Just a warning: Due to more brilliant programming, the change password page will allow you to choose a password that is longer than the login page will accept. I didn't count, but it looks like it's 16 characters max, or so. _____________________
Amber Stonecutter Bruxing Babe Join date: 13 Sep 2005 Posts: 296	09-08-2006 10:30 . . . wtf.
Tuach Noh Ignorant Knowlessman Join date: 2 Aug 2006 Posts: 79	09-08-2006 10:30 I would like to know why they were storing cleartext passwords in the first place, as opposed to hashed passwords. There is simply no good reason to do that. Of course it may be that the passwords are hashed and they just want to prevent a dictionary attack against all the morons who used "password" as their password. I word further like to know why the passwords are somehow less secure than the (presumably) cleartext answer to the security question, which might also be inferrable from the person's personal information. In other words: After you finish changing your password, change your security question and answer too, just to be on the safe side.

Welcome to the Second Life Forums Archive

URGENT! LL security exploit