http://www.gnucitizen.org/blog/ie-pwns-secondlife
The problem isn't actually IE, although it's popular to blame Microsoft, but the fact that SL will accept command line arguments from a protocol handler.
In short it directs the viewer to connect to a possible malicious site, which would snatch your name and the MD5 hash of your password (for simple/easy passwords someone could do a reverse lookup on the hash with a pregenerated table) and that would theoretically be enough to impersonate you on the grid.
Hopefully LL will be fixing it immediately, or give a detailed explanation on why it shouldn't work in practice. Unchecking "Remember my password" would be enough to block it.
(Edited to add that it the "exploit" works on Firefox as well, so it really is LL's fault)
Welcome to the Second Life Forums Archive
These forums are CLOSED. Please visit the new forums HERE
Possible SL exploit |
|
|
Kitty Barnett
Registered User
Join date: 10 May 2006
Posts: 5,586
|
09-18-2007 08:10
|
|
Dzonatas Sol
Visual Learner
Join date: 16 Oct 2006
Posts: 507
|
09-18-2007 09:01
Interesting....
_____________________
L$1 Rental Special - Every Week - Limit one per resident
http://slurl.com/secondlife/Haenim/30/30/705 |
|
Meade Paravane
Hedgehog
Join date: 21 Nov 2006
Posts: 4,845
|
09-18-2007 09:12
(Edited to add that it the "exploit" works on Firefox as well, so it really is LL's fault) /me waits for the zealots to blame Microsoft anyway. _____________________
Tired of shouting clubs and lucky chairs? Vote for llParcelSay!!!
- Go here: http://jira.secondlife.com/browse/SVC-1224 - If you see "if you were logged in.." on the left, click it and log in - Click the "Vote for it" link on the left |
|
Dnate Mars
Lost
Join date: 27 Jan 2004
Posts: 1,309
|
09-18-2007 09:13
http://www.gnucitizen.org/blog/ie-pwns-secondlife The problem isn't actually IE, although it's popular to blame Microsoft, but the fact that SL will accept command line arguments from a protocol handler. In short it directs the viewer to connect to a possible malicious site, which would snatch your name and the MD5 hash of your password (for simple/easy passwords someone could do a reverse lookup on the hash with a pregenerated table) and that would theoretically be enough to impersonate you on the grid. Hopefully LL will be fixing it immediately, or give a detailed explanation on why it shouldn't work in practice. Unchecking "Remember my password" would be enough to block it. (Edited to add that it the "exploit" works on Firefox as well, so it really is LL's fault) Yep, or not using untrusted clients. This is not an exploit, it is just another reason not to use an untrusted client. It can be a very useful tool to connect to a grid that is not LL's. _____________________
|
|
Bree Giffen
♥♣♦♠ Furrtune Hunter ♠♦♣♥
Join date: 22 Jun 2006
Posts: 2,715
|
09-18-2007 09:50
Damn that's pretty scary. Unchecking my save password box now. Now I have to go this website that says I can get free lindens....
_____________________
|
|
Papalopulus Kobolowski
working mind
Join date: 11 Aug 2006
Posts: 326
|
09-18-2007 10:07
and... with firefox too?
|
|
Torian Carter
Searching for a 3rd Life
Join date: 17 Apr 2007
Posts: 111
|
09-18-2007 10:19
Unchecking the 'remember password' is advisable for EVERY program or website that has it. It's generally a very bad practice to save your password.
And make sure you use a, so called, strong password. At least 8 characters and include a couple of numbers and an alphanumeric. Best way to do this is to think of a short phrase and transpose some letters with numbers. Something like 'SL is great' translates to SL1sgre@t |
|
Tygarys Soyinka
Insane Furry Lag Monster
Join date: 17 Sep 2005
Posts: 136
|
09-18-2007 10:33
/me waits for the zealots to blame Microsoft anyway. Darn you Bill Gates! This wouldn't happen in Linux! _____________________
Tygarys Soyinka
Just what every planet needs, cats in charge. - The Doctor |
|
Pale Spectre
Registered User
Join date: 2 Sep 2005
Posts: 586
|
Firefox
09-18-2007 10:53
For Firefox users in about:config
set network.protocol-handler.warn-external-default to true (which is the default setting) ...this should ensure that you get a warning before the external protocol request is processed. You might also review all of the network.protocol-handler.warn settings as secondlife: isn't the only one that can be exploited. |
|
Colette Meiji
Registered User
Join date: 25 Mar 2005
Posts: 15,556
|
09-18-2007 11:00
I always figured storing your password was a bad idea. Anywhere on your computer.
|
|
Dnate Mars
Lost
Join date: 27 Jan 2004
Posts: 1,309
|
09-18-2007 11:39
Uh, you know, posting an exploit on the forums is a big no-no. Since LL is already aware of it, I am not sure that this post should stay.
_____________________
|
|
Cristalle Karami
Lady of the House
Join date: 4 Dec 2006
Posts: 6,222
|
09-18-2007 11:42
Don't be ridiculous. It's a warning to uncheck the store password box.
Thanks for the warning, Kitty, I will promptly uncheck that box. _____________________
Affordable & beautiful apartments & homes starting at 150L/wk! Waterfront homes, 575L/wk & 300 prims!
House of Cristalle low prim prefabs: secondlife://Cristalle/111/60 http://cristalleproperties.info http://careeningcristalle.blogspot.com - Careening, A SL Sailing Blog |
|
Tessalicious Flanagan
Registered User
Join date: 10 Jun 2007
Posts: 6
|
09-18-2007 11:43
Uh, you know, posting an exploit on the forums is a big no-no. Since LL is already aware of it, I am not sure that this post should stay. Since when does posting news about an exploit turn to the actual exploit itself? Besides, I'd rather work in the light than in the dark. Full disclosure is always best. |
|
Meade Paravane
Hedgehog
Join date: 21 Nov 2006
Posts: 4,845
|
09-18-2007 11:53
The blog is saying this doesn't work on FireFox.. I don't have FireFox - can somebody check this out and maybe send an IM to Phoenix Linden if you _can_ repro this with FireFox?
http://blog.secondlife.com/2007/09/18/second-life-url-handler-exploit/ _____________________
Tired of shouting clubs and lucky chairs? Vote for llParcelSay!!!
- Go here: http://jira.secondlife.com/browse/SVC-1224 - If you see "if you were logged in.." on the left, click it and log in - Click the "Vote for it" link on the left |
|
Dytska Vieria
+/- .00004™
Join date: 13 Dec 2006
Posts: 768
|
09-18-2007 11:55
This was talked about yesterday here: /111/52/211124/1.html
It was announced on bugtraq sunday am. If you use anything but IE, you don't have to worry, maybe  rtfa_____________________
+/- 0.00004
|
|
Har Fairweather
Registered User
Join date: 24 Jan 2007
Posts: 2,320
|
09-18-2007 12:39
Since when does posting news about an exploit turn to the actual exploit itself? Besides, I'd rather work in the light than in the dark. Full disclosure is always best. QFT! |
|
Warda Kawabata
Amityville Horror
Join date: 4 Nov 2005
Posts: 1,300
|
09-18-2007 12:43
Uh, you know, posting an exploit on the forums is a big no-no. Since LL is already aware of it, I am not sure that this post should stay. Seeing as how LL itself posted even more detail about how to use this exloit on their blog, I don't see the harm. _____________________
I rent out land on private islands. Message me in-world for details. |
|
Dnate Mars
Lost
Join date: 27 Jan 2004
Posts: 1,309
|
09-18-2007 13:00
I understand that, but people have been banned in the past for alerting people of a possible exploit. Warning are nice, but they can also lead to wrongdoers doing wrong.
_____________________
|
|
Sling Trebuchet
Deleted User
Join date: 20 Jan 2007
Posts: 4,548
|
09-18-2007 13:54
And on the Blog:
"We have a client side fix for this undergoing Quality Assurance. We expect to deploy the new 1.18.2.1 client this week and make it a required upgrade." Required upgrade!! Oh rats! I'l have to dig up all the info on how to dissect the apparently horrible and huge communication interface. I was quite happy with the pre-Voice client thank you! *grumbles* |
|
Sweetly Blessed
Registered User
Join date: 17 Sep 2007
Posts: 51
|
Help please =)
09-18-2007 14:01
Hi new here and to SL =) Unforunately, I am using IE 6.
Can someone please tell me what i need to do in order to close this loophole for the IE Exploit in plain english? This news is very disturbing! What is it exactly that I need to do to protect myself? Please be explicit n thanks so much |
|
Brodsky Zapedzki
Registered User
Join date: 30 Mar 2007
Posts: 337
|
09-18-2007 14:05
Un-check ‘Remember password’ in the login screen of the Second Life client.
|
|
Katier Reitveld
M2 News Manager
Join date: 13 Sep 2005
Posts: 412
|
09-18-2007 14:17
Un-check ‘Remember password’ in the login screen of the Second Life client. AND don't go around clicking random wierd links. (the former avoids the problem but the latter is good practice - oh and don't use IE) |
|
Kitty Barnett
Registered User
Join date: 10 May 2006
Posts: 5,586
|
09-18-2007 14:41
Uh, you know, posting an exploit on the forums is a big no-no. Since LL is already aware of it, I am not sure that this post should stay. If it was an exploit involving permissions that would be bad to post since it doesn't really do any good at all to warn against that, or if it was something I'd found on my own and wasn't "widely" known already that would be irresponsible as well. This was talked about yesterday here: /111/52/211124/1.html  . |
|
Trella McMahon
Registered User
Join date: 21 May 2007
Posts: 163
|
When I uncheck the box
09-18-2007 15:20
It just simply comes right back when i reopen the SL page. This is really getting beyond scary.
|
|
Kiboe Munro
Registered User
Join date: 16 Jun 2007
Posts: 338
|
09-18-2007 15:26
Unchecking the 'remember password' is advisable for EVERY program or website that has it. It's generally a very bad practice to save your password. And make sure you use a, so called, strong password. At least 8 characters and include a couple of numbers and an alphanumeric. Best way to do this is to think of a short phrase and transpose some letters with numbers. Something like 'SL is great' translates to SL1sgre@t mine is 26 charecters |
