Second Life Forums Archive - SL Quicktime exploit still not addressed by LL

Chez Nabob

Registered User

Join date: 24 Dec 2005

Posts: 25

02-15-2008 12:20

Anyone else seen this article?

http://www.theregister.co.uk/2008/02/15/second_life_hack/

Isabeau Imako

P'tite Poulette

Join date: 13 Sep 2007

Posts: 2,335

02-15-2008 12:32

From the article,

"They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time."

He does it to himself. Obviously, he also didn't AR himself - didn't complain of missing $L in his own account so of course no one 'noticed'.

There's always a risk so only enable video on sims you trust, and keep your virtual wallet almost empty unless you're just about to buy something.

Chez Nabob

Registered User

Join date: 24 Dec 2005

Posts: 25

02-15-2008 12:43

Yeah, but the bigger concern is this part of the article:

"For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine."

Seems a bit more alarming if LL stands by and watches them tap into credit cards, and according to the article there has been almost no activity by LL to close up the exploit despite the updated Quicktime software from Apple.

Ctarr Huszar

BEYOND TATTOO

Join date: 14 Oct 2005

Posts: 125

02-15-2008 12:56

From: Chez Nabob

Yeah, but the bigger concern is this part of the article:

"For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine."

Seems a bit more alarming if LL stands by and watches them tap into credit cards, and according to the article there has been almost no activity by LL to close up the exploit despite the updated Quicktime software from Apple.

Well I hope our friend who hacked the Iphone and is writing this new hack - is also writing a hack to open his prison cell - cause if he does hack the debit cards in SL - thats where he will end up.

_____________________

Ctarr Huszar - BEYOND TATTOO

Darien Caldwell

Registered User

Join date: 12 Oct 2006

Posts: 3,127

02-15-2008 12:58

The viewer will disable Quicktime playback if you don't have the up to date Quicktime installed. That doesn't mean you can't go and turn it on yourself. There's not much LL can do about it except tell people to update Quicktime. If people choose to not do that, and hack themselves, that's their little issue.

_____________________

Colette Meiji

Registered User

Join date: 25 Mar 2005

Posts: 15,556

02-15-2008 12:58

From: Ctarr Huszar

Well I hope our friend who hacked the Iphone and is writing this new hack - is also writing a hack to open his prison cell - cause if he does hack the debit cards in SL - thats where he will end up.

Yeah I was just thinking that .. how is he going to hack credit cards and not wind up in jail?

Riko Jarman

Registered User

Join date: 2 Nov 2007

Posts: 68

02-15-2008 13:44

The vulnerability is in the Quicktime client. This is the part that runs on your PC. There's not much LL can do except try to force you to upgrade your Quicktime client. This is up to you to take care of, not LL.

And I don't use a credit card or Paypal for my payments to LL. I get a one time debit card and use that. If I my card information gets ripped off I only loose $50 USD instead of a card with a much higher limit that can be spent in a matter of minutes.

Vlad Bjornson

Virtual Gardener

Join date: 11 Nov 2005

Posts: 650

02-15-2008 13:45

As Darien pointed out this is an Quicktime security issue, not one that lies within the SL client. Everyone should be updating to the latest version of Quicktime. LL has already urged residents to do this several times, and is even making the update to version 7.4 mandatory in the preview of Windlight. I suspect that the main client will require this update in the future.

http://www.apple.com/quicktime/download/

_____________________

I heart shiny ! http://www.shiny-life.com

Raudf Fox

(ra-ow-th)

Join date: 25 Feb 2005

Posts: 5,119

02-15-2008 13:50

Me, I was thinking, "I hope he's good enough at coding that he can write his own lawyer program.. because he's going to need one heck of a defense for the debit card thing."

That's a crime no matter how you *ahem* hack it.

And it was a flaw with QuickTime.. and for a while, LL had shut it down, until the Apple team supposedly closed the flaw with a new update. *shrugs* I wouldn't go after LL, I'd go after Apple if something happened via their code anyways.

_____________________

DiamonX Studios, the place of the Victorian Times series of gowns and dresses - Located at http://slurl.com/secondlife/Fushida/224/176

Want more attachment points for your avatar's wearing pleasure? Then please vote for

https://jira.secondlife.com/browse/VWR-1065?

Chez Nabob

Registered User

Join date: 24 Dec 2005

Posts: 25

02-15-2008 14:06

OMG, are you guys actually reading the article?

More from the url:

"The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia."

I understand that the problem was with Quicktime, but as the article points out in the portion above, LL hasn't made any changes to help close the exploit on the client side despite the fact that Apple has issued a fix to Quicktime.

SL Quicktime exploit still not addressed by LL
Chez Nabob Registered User Join date: 24 Dec 2005 Posts: 25	02-15-2008 12:20 Anyone else seen this article? http://www.theregister.co.uk/2008/02/15/second_life_hack/
Isabeau Imako P'tite Poulette Join date: 13 Sep 2007 Posts: 2,335	02-15-2008 12:32 From the article, "They're not doing much because last night I exploited a character 50 times," he says. "It was my own character, but they didn't know that. No power from above came down and said: 'stop that.' They certainly don't know when it happens because I do it all the time." He does it to himself. Obviously, he also didn't AR himself - didn't complain of missing $L in his own account so of course no one 'noticed'. There's always a risk so only enable video on sims you trust, and keep your virtual wallet almost empty unless you're just about to buy something.
Chez Nabob Registered User Join date: 24 Dec 2005 Posts: 25	02-15-2008 12:43 Yeah, but the bigger concern is this part of the article: "For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine." Seems a bit more alarming if LL stands by and watches them tap into credit cards, and according to the article there has been almost no activity by LL to close up the exploit despite the updated Quicktime software from Apple.
Ctarr Huszar BEYOND TATTOO Join date: 14 Oct 2005 Posts: 125	02-15-2008 12:56 From: Chez Nabob Yeah, but the bigger concern is this part of the article: "For now, the exploit can only steal money that's in a victim's virtual wallet, but Miller, who is perhaps best known for hacking the iPhone a mere three weeks after it was released, says he's in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. (Credit cards are required of all users who own virtual land.) He also says it would be "trivial" to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine." Seems a bit more alarming if LL stands by and watches them tap into credit cards, and according to the article there has been almost no activity by LL to close up the exploit despite the updated Quicktime software from Apple. Well I hope our friend who hacked the Iphone and is writing this new hack - is also writing a hack to open his prison cell - cause if he does hack the debit cards in SL - thats where he will end up. _____________________ Ctarr Huszar - BEYOND TATTOO
Darien Caldwell Registered User Join date: 12 Oct 2006 Posts: 3,127	02-15-2008 12:58 The viewer will disable Quicktime playback if you don't have the up to date Quicktime installed. That doesn't mean you can't go and turn it on yourself. There's not much LL can do about it except tell people to update Quicktime. If people choose to not do that, and hack themselves, that's their little issue. _____________________
Colette Meiji Registered User Join date: 25 Mar 2005 Posts: 15,556	02-15-2008 12:58 From: Ctarr Huszar Well I hope our friend who hacked the Iphone and is writing this new hack - is also writing a hack to open his prison cell - cause if he does hack the debit cards in SL - thats where he will end up. Yeah I was just thinking that .. how is he going to hack credit cards and not wind up in jail?
Riko Jarman Registered User Join date: 2 Nov 2007 Posts: 68	02-15-2008 13:44 The vulnerability is in the Quicktime client. This is the part that runs on your PC. There's not much LL can do except try to force you to upgrade your Quicktime client. This is up to you to take care of, not LL. And I don't use a credit card or Paypal for my payments to LL. I get a one time debit card and use that. If I my card information gets ripped off I only loose $50 USD instead of a card with a much higher limit that can be spent in a matter of minutes.
Vlad Bjornson Virtual Gardener Join date: 11 Nov 2005 Posts: 650	02-15-2008 13:45 As Darien pointed out this is an Quicktime security issue, not one that lies within the SL client. Everyone should be updating to the latest version of Quicktime. LL has already urged residents to do this several times, and is even making the update to version 7.4 mandatory in the preview of Windlight. I suspect that the main client will require this update in the future. http://www.apple.com/quicktime/download/ _____________________ I heart shiny ! http://www.shiny-life.com
Raudf Fox (ra-ow-th) Join date: 25 Feb 2005 Posts: 5,119	02-15-2008 13:50 Me, I was thinking, "I hope he's good enough at coding that he can write his own lawyer program.. because he's going to need one heck of a defense for the debit card thing." That's a crime no matter how you ahem hack it. And it was a flaw with QuickTime.. and for a while, LL had shut it down, until the Apple team supposedly closed the flaw with a new update. shrugs I wouldn't go after LL, I'd go after Apple if something happened via their code anyways. _____________________ DiamonX Studios, the place of the Victorian Times series of gowns and dresses - Located at http://slurl.com/secondlife/Fushida/224/176 Want more attachment points for your avatar's wearing pleasure? Then please vote for https://jira.secondlife.com/browse/VWR-1065?
Chez Nabob Registered User Join date: 24 Dec 2005 Posts: 25	02-15-2008 14:06 OMG, are you guys actually reading the article? More from the url: "The demo works by exploiting an old vulnerability in Apple's QuickTime media player. While Apple has provided an update patching the hole, Second Life creator Linden Lab has done little to change the architecture that allowed the exploit to work in the first place. That means Second Life residents are at risk anytime there is an un-patched security bug in the Apple software. There were close to three-dozen such bugs last year, according to Secunia." I understand that the problem was with Quicktime, but as the article points out in the portion above, LL hasn't made any changes to help close the exploit on the client side despite the fact that Apple has issued a fix to Quicktime.

Welcome to the Second Life Forums Archive

SL Quicktime exploit still not addressed by LL