People able to pay L$1 instead of L$1000

Hello, I have run into an issue that allows people to pay L$1 to play a game instead of the L$1000 that is required. I have lost over L$2,100,000 over the past 3 days before i realized that there was a problem and I submitted an abuse report for all 5 of the offending individuals.

I cannot duplicate this issue and I have no idea how they are doing it. After I found the problem I tested the game and when I tried to test the machine by paying it the payment box that showed up was for the full amount of L$1000 yet I have over a thousand payments for L$1 that initiated the game, and the game paid out L$10,000 for each win.

Needless to say I have pulled the game Skillingo from my establishment but this issue needs to be addressed as people are being taken advantage of.

File a support ticket with linden labs.

I filed a technical issue ticket to LL along with an abuse report of the thieves and how much each stole from me.

Are you checking that the amount paid is actually what you requested or are you depending on the user actually paying the amount you put up in the pay dialog?

:

Always (ALWAYS!) check the amount paid in your money() event. This UI element isn't modal, and has had bugs exploited in the past.
Never trust the client software to be secure.

Quoted because it deserves to be said again...

Im not exactly savy when it comes to these things, all I know is that someone used an bug to exploit the game and steal money from me. Im sure that the odds of me seeing that nearly $8000USD again even if LL busts the culprits are pretty close to 0, I just want it fixed so money doesnt get stolen from me again, this nearly put me out of business. Im just rambling now, can you blame me im still just a wee bit angry that this could even be possible.

What does your money() event look like?

If it's not your script you need to contact the author.

If it's your script, you need to be savvy about these things if you're going to commit thousands of real dollars to it.

I have only put a couple of hundred dollars into this game and have built my empire from the ground up. I buy the games that I set up from a third party, and the game in question worked fine without any exploits for over a year, then boom 5 people come in and nearly wiped me out over a period of 3 days.

Sounds like it's a bug in that game, then, and not a bug in SL at all. You need to check with the author AND check with the authors of your other games to make sure they're careful to check in the money() event.

How can it be a bug in the game when you pay it you only have the option to pay the set amount?

Because Second Life does not enforce that payment. The pay price is only a suggestion, and it has been only a suggestion ever since it was introduced. It's a convenience option. To make it enforced it would need to transactionalize the operation, so that putting up an llSetPayPrice() dialog blocked all payments except for those from the avatar that it was targeted at. This is very difficult to solve in the general case (what happens if the payment is canceled? What happens if the user just doesn't do anything? They could DoS all your machines just by sitting somewhere and clicking on them, so nobody could play) so LL treats it as two transactions and documents the fact that it's two transactions and you HAVE TO check.

/me quotes it again...



The preset payment stuff is not enforced by SL itself - it's all in the viewer. This is not new. This is well known. The documentation warns scripters about this sorta thing pretty clearly.

I'd be a little nervous about somebody who makes money-based products and didn't know about this one.

Hello, I am one of the 5 people in suggestion.


I personally was responsible for taking 1,038,000 L from you.

I was able to sell the L in time to a third party site and I already have the money in my bank account.

LL is not going to give your L back. Have a nice day and thanks for being offline for 3 days so we could wipe out your empire.

Hello there :3

My what a great three days it was, that 2,000,000 L my friend and I took came in handy, and you actually think LL took care of the situation? They don't even have a clue where it all went. Sure the accounts are banned, but that didn't stop us from getting what we wanted.

I, Asylum, take responsibility for my part in this. You scam people with a non-luck based game and we scam you back.

Thank you for allowing us to wipe out your empire, personally I am touched you stayed offline for 3 days to allow us to do so, and I am sure your customers had a hard time logging back in once we crashed them. They should be able to log back in now.

Take care.


-Asylum

Yeah. He forced them to play the game. Idiot.

Assuming this is not some kind of joke I wouldn't be so smug just yet.............2,000,000 lindens is well above the petty theft threshold. You got to know digital tracks are always tracable. And the gloating says you are definitely not pros..........watch your backs.