Bizarre account copybotting avatars, clothing and even profiles and groups

Sansarya and I were at a store earlier when we encountered a certain avatar who I will not name here due to silly regulations.

She suddenly morphed into an exact copy of Sans' avatar, with the exception of the hair she was wearing. We immediately thought COPYBOT.

I started to look at her profile to find out some info to use when I filed an AR and discovered, much to my shock, that except for the name, her profile was identical to Sans'. Then, after a couple of minutes, she became ME.

She claimed to be the store owner, but the names didn't match. I challenged her to relog onto her main as proof; she disappeared momentarily but reappeared shortly, still on the same account.

Sans and I both filed ARs and advised her that copybot-type scripts are a violation of the TOS. She ridiculed us.

I put out a group IM to one of the large social groups we frequent and soon eight or 10 people were there, filing ARs, but the whole time, she kept changing form into each of us. It was like fighting Mystique in X-Men.

Then it got really weird: her name began showing up as a member in some of our groups, some of which were invite-only.

Finally, after 10 minutes or so, she poofed and her name was gone from Search.

But it was definitely pretty weird, especially the profile and group part. We all agreed we had never seen anything like that before.

Here's a pic that Sans got showing her profile and the copybotter's profile (copied from hers) side by side.



P2

Yeah, the profile cloning's been in there for a while, darned if I can think of a practical use for it.

Hmm, I hadn't heard of profile cloning that I recall.

This could be the new big world coming to an end forum topic.

"her name began showing up as a member in some of our groups, some of which were invite-only"
That part sounds extra bad.

Yeah, I knew the profile copying was going on but the part about group joining is a new one. That could be an exploit with a lot of damage potential. I wonder if it can give someone the same group access as who they cloned. I wouldn't think so, but I never would have thought this was possible either.

That's more 'scary' than 'weird' IMO.

Mr Anderson, nice to see you!

That's pretty freaky. I hope that gets taken care of. Someone could join a Linden group that way I suppose.

What about land owner groups? That is really scary.

Very bad news, come back griefers all is forgiven.

I would say the land group part is the most scary they just gotta copy an alt that has alot of land then sell the land or abandon it..

The profile cloner in the libsl sample does send out join requests for all the groups in the profile it's cloning. If those requests are actually succeeding for closed access groups, and it's not just some cache artifact, that would be a pretty big SL bug. The new server has enough other nasty group-related bugs that it wouldn't surprise me though :/

We need someone to test this for us. Not me though.. cause I value my account.

you should have taken the blue pill. that's nuts!

That's bad for group cloning, perhaps we should all be sure basic members in our land groups can't do nasty stuff like sell our land, return objects or terraform. Unless of course it can copy ranks too? Make all your alts & friends officers in the group.

Let's just hope this was done by someone who was just out to prove it could be done and no more. The fact that they were open about what they could do and now it's become public knowledge is better than if they went around doing this in secret wrecking people's accounnts, homes etc.

Priceless.

There's another thread with some more commentary on the matter at SLU:
http://www.sluniverse.com/php/vb/general-sl-discussion/12363-bizarre-account-copybotting-avatars-clothing.html

I was there with Phoenix and Sans, and another person in the room with us found that the copybotter had indeed joined an invite-only group of hers. The botter was only a member of the "Everyone" role, instead of Owner/Officer like our friend was. While this is good, it's still a bit of an issue, because even though the default permissions on the Everyone role are very restrictive, it IS possible for a group owner to assign complete officer permissions to Everyone, doing so under the assumption that the group is secure, since it's invite-only.

The greater implication is that copybot could be used to steal group-owned land and objects. This is a VERY serious exploit if it is indeed true.

I am HOPING that our friend was mistaken and her group was open-join. I don't know the group name, so I haven't been able to personally confirm. She did say she had to eject the botter from the group though.

I just tried the profile cloning thing with TestClient. It did manage to join Fashcon to match my willing victim, but closed groups got the following message from SL:

<IM (MessageBox)> Second Life: You cannot join '[group name here]':
The group no longer has open enrollment.

Group land and permissions cannot be affected by CopyBot.

What i learned is this:

The JOIN GROUP button for "invite only" groups is actually there just not visible - so it can actually be joined via code command and not via button click - which is why the CopyBot can join groups, it just gets the group key, sends a join requiest and is instantly in. The rest of us are limited because we don't get the JOIN button so we cannot join.

To prevent CopyBot's from joining your closed group put an astronomical entry fee to the group. I use 50k Linden.

So, groups are safe from land/permission/pay-out rip-off exploits by means of CopyBot.

Well apparently not, the server caught it.

Did anyone report the exploit? This is a serious flaw in the groups if they can join like that.

I am confused by the messages above. Someone did test this?

The questions are:

1. Can you join groups that are invite-only?

2. What role can you join as?

What if, they cloned what appeared to be a Linden Account , and then found access to some tools we dont want people to to missuse...

bad news...

This could explain why I found items set to the correct land group, but owned by someone we never invited on our land, she didnt show up in group though. I just wrote it of as a bug and returned her stuff.

Yes, I tried it =)

The server wouldn't let me do that, but maybe I'm not special enough. Attempts to join closed groups manually without the whole profile gimmick failed with the same server message.

Didn't get that far =)