Affiliate Vendors : Loophole?

There's been word from people saying that there's a bug/loophole on affiliate vendors that can allow people to take items without paying for them? Fact or Myth? I stated to them where did they read this alert, but no official source was given and said it wasn't listed anywhere...

I believe that the loophole involves giving people vendors with products in the vendor's inventory, versus a networked vendor that delivers the product from a server. I have an idea of what it is but someone who knows for sure will elaborate. I use hippoVEND, so that's not an issue.

I think this http://forums.secondlife.com/showthread.php?t=261921

Very interesting, then it does exist.....the question now is which vendors are most secure. I see most people use Hippo based vendors.

Interesting, I didn't know about that one.

But there is another one too, that allows someone who owns an affiliate vendor (not the issuer of the vendor) to buy, or allow to be bought, items from the vendor at no cost. This requires active participation of the vendor owner though.

HippoTech have recently released 1.6.3a (IIRC) affiliate vendors that have safeguards against this exploit. I'm not aware of any other vendor that has been updated though.

Anyone who finds a security loophole in how scripted payments (llGiveMoney() or the money() event) are processed should send an email to [email]Security@LindenLab.com[/email] and/or submit a ticket under the SEC project on http://jira.secondlife.com detailing the loopholes and including as detailed an explanation/reproduction as possible. Both reporting methods are entirely anonymous (except to Linden Labs, obviously). Reporting bugs this way allows LL to fix them (and they respond QUICKLY to real security threats) without letting would-be hackers know that they exist.

For loopholes with specific affiliate vendors, your best bet is to notify the vendor maker. For widely-used vendors like Hippo or Apez, you should contact the individuals who run those systems. Some larger companies (especially if they have talented scripters on board) will script their own vendors, so you should contact the customer support reps for that company in that situation.

As far as I'm aware, the loophole involves disrupting the vendor's attempt to give the L$ to the vendor issuer, by either tampering with the script or object directly or having another script spam money transfers at the same time so that the communication between the sim and the commerce server is throttled and the throttle cancels the transaction.

In order to fix it it's necessary to recieve the money via a bot that can confirm the transfer occured and post this fact on the web for the vendor to check. Some vendors claim to also check the owner's Statement page, which is technically also an exploit since it is outside the specification of llHTTPRequest.

There was recently a survey on SLDev that suggested Linden are planning to address the issue by allowing scripts to check on whether a transaction succeeded

Oh god! Finally... they are a few years late anyway... it's about time!