Website Hijack

I just experienced a redirect on the website. I went to look at community and was prompted to log in and I did and instead of going to the land, I got an unrelated real estate page. I sort of freaked out and didnt note who it actually was though. Sorry about that.

As a precaution, I immediately changed my password for my account. I am using Mozilla Firefox 1.0.4. Just a heads up to those that need to know. Please double check the site and if others see this redirect, please report in with more information.

More info. I checked my browser history and discovered the site I was sent to was www.homes.com I was attempting to log into the LAND section (top of this page) and got sent there. It may have been a hiccup, I dunno what happened, just reporting it.

Ah, interesting. Here's a trick:

Name an object: <a href="http://www.google.com">Google</a>

Sell it to somebody then quickly go to http://secondlife.com/community/index.php and you'll see a nice clickable Google link on that page under Recent Transactions.

This is a benign example, but somebody more nefarious could easily use <script> tags to launch a nasty cross site scripting attack on the residents of Second Life.

This will be reported immediately.

Huh. Check out this post I made a while ago. I could swear it was a lot longer ago than April (I was thinking a year ago) but that is the date shown here.

/120/c9/41455/1.html

Are you sure that there isn't text parsing, and only basic HTML allowed? (bold, underline, tables, etc?)

Hmmm, I'd set this as a prority for the website updates. Kinda one of those things that could become a nightmare if the wrong person(s) figured it out.

THIS COULD BE AN IPS STEALING NIGHTMARE!!!1
(seriously though, it could)

No, it's all the way bad. As bad as a 64 character javascript snippet can possibly be, at least.

Thanks for bringing this to our attention. Our crack team of php and html ninjas have patched the site to keep this from happening in the future -- all while singing "On the Road Again"!

Our web monkeys are multi-talented.

Anyway, we want you to know that even if someone had redirected you to a website with less than savory intentions, our site doesn't post any information to the next page after logging in, so your information is safe. You can change your password back, if you like

Our thanks to the folks in IRC for the heads-up regarding this thread!

Absolutely, I would like to second this fete to the IRC crew for summoning the much needed attention to this very serious security issue.

Within minutes of the issue being raised in IRC, the bug was fixed!

As a side note, this situation taught me a very important lesson: For most issues the triple-combination of the Bug Report / Hotline Post / IMing a Linden is more than sufficient. However, if you really want your issue resolved quickly, the proper bug reporting tool is your IRC client.

What an IRC crew?
What is my IRC client?

I use SL a lot, have been here more than a year, but I am a complete non-techie and can't be the only person who has no idea what you are talking about.

It is no good telling us that the proper bug reporting tool is my IRC client...I am assuming it isn't the in-game bug report as you say that
"for most issues the triple-combination of the Bug Report/Hotline Post/IMing a Linden is more than sufficient..."
although I have to say that unless I found something devastating, I'd be unlikely to do more than bug reporting in game.

Cali

The proper bug reporting tool is the in-world bug reporting tool. Often we get repeat bugs that do not need the attention of a developer right away. However, if you have an exploit or a really serious bug that could potentially cause complete unusability of Second Life we urge you to seek out a Bug Hunter or Liaison in-world and alert them to the situation. The folks on the #secondlife IRC channel happened to catch me and let me know someone had posted this thread, and the fix was literally a few lines of code on the website.

In general, the Hotline isn't the right place to post a bug. Bug Hunters do not frequently watch the Hotline and we're usually alerted to those pleas for help by Robin.

If you'd like to get in on the IRC action, here's how!

First, download an IRC client. The popular ones for Windows are IceChat and mIRC, both available from download.com. If you're on a Mac, I suggest Colloquy at colloquy.info. You can also find lots of IRC software and tips at efnet.org.

Next, set it up with an IRC server connection. I use irc.efnet.net.

Finally, connect to the #secondlife channel/room. To do this, log into the IRC server. After logging in, type '/join #secondlife' (no quotes). Most IRC programs also let you press a button to join a channel/room.

You'll find IRC-style chat is very much like Second Life chat and that the folks who hang out in the #secondlife room are very helpful and welcoming. You'll also find a few Lindens there during office hours (myself included).

Edit: I'm going to copy my main question up here since sometimes people don't like to scroll

However, in two weeks when everybody has taken your advice to join in on IRC and all the Lindens leave EFNet #secondlife because they're sick of getting their asses whipped constantly, what will the solution to a serious issue like this be then?

------------



Agreed. I was being a little cheeky. However, I made certain to properly bug report this issue.



I completely understand this. This was the main reason I explored alternative methods of bug reporting.



I believe this issue falls into this category (despite your best efforts to downplay it). Passwords were at serious risk of being phished, and I'm not sure if you can be certain that any weren't.

As such, I contacted one of the two Lindens that were available in world and apprised her of the seriousness of the situation. I was informed that the issue had been "escalated".



That's part of what has me bothered. It's a serious situation with an easy fix, yet some 18 hours later nothing had been done.



I realize that the Hotline gets bogged down, but the description of the Hotline To Linden forum is:

"You've discussed it in the forums. You've proposed it in the voting system. You've reported your bug, talked to Liaisons and Live Help, and emailed support. Still have a question or an idea for Linden feedback? Then post it here!"

In my defense, this describes my situation to the letter. That's why I posted there.



Yes, by all means! It is an excellent tool for collaborating on Second Life.

Here is my main issue though: I did everything you suggested. I went above and beyond the normal bug reporting process. I'm not suggesting that IRC should be the de facto means of reporting serious bugs when all other avenues fail. In this case however, it was the solution.

However, in two weeks when everybody has taken your advice to join in on IRC and all the Lindens leave EFNet #secondlife because they're sick of getting their asses whipped constantly, what will the solution to a serious issue like this be then?

In fact it was discussed in IRC and the link to this thread was posted there. When I got home from work I read up my IRC "chat history" and saw this I decided to follow up on the issue again in case it hadn't been picked up yet.

Technically, IRC was no faster and would have been the same as finding the right Linden and IMing them.

llBrent did an outstanding job of taking ownership and got the right people in place and got the job done without delay. Credit is due. Also the immediate technical assistance from the SL users who hang out in IRC who were able to act in a "tester" role for LL deserve a lot of credit too. The people are excellent.

However, it's the process of bug reporting that may need review. Perhaps if the Report Bug feature in the SL Client had a Security category that would always alert the right people directly it would cover this kind of thing a little better.

How would you like to put up a vote in the feature voting system for a Security category in bug reporting? Post a link to the vote from here - I'll definitely vote for it.

Don't get me wrong! I'm not disparaging #secondlife. As a matter of fact, I was there. I'm the one who pasted the link.



Agreed and agreed. My problem was I put my faith in the methods set forth by Linden Lab. I know better now.



Thank you for bringing this up. Absolutely! Big kudos to Brent. He swiftly saw to the solution I was seeking.

As for the SL users on IRC testing the bug: The bug had already been fully tested, duplicated, and reported. They were having a good time popping up javascript alerts and redirects, but it wasn't necessary. All the information was in LLs hands at that time.



My whole reason for following through on this.



I will be glad to do that. I'd be interested to get some feedback first from the bug hunting team (which Brent is a part of) before I make such a proposal so as to fully capture the need for such a feature. I'll probably catch up with him on IRC, since that's where I know I can reach him

LOL

This thread is interesting in respect to clicking on recent transactions and getting hijacked. As far as I can see it doesn't answer why Loki went to www.homes.com and I went to the US Bureau of Land Management when clicking on Land though.

Okay ... I'm willing to step up to the plate here.

Got a super-nasty-OMG-sky-falling kinda bug? I'm not talking about "OMG GREEFED" or "HLP PLS BOX ON HEAD!". I'm talking REAL nasties. Bugs that kick you in the shin, steal your lollypop AND call you bad names. These are the bugs I want to hear about ... personally.

That's right, personally.

Report your exploits, crashers (after checking your drivers and dumping cache, kk tx bye), and other *serious* bugs to me, directly, inworld. That's Brent Linden in Find > People. If you want my card or to make a friendship with me, I'm all too willing to do that too. My IM's are set to go to my email, so I'll get it even if I'm not inworld. I check my email fairly frequently, so I'm quite likely to get the message faster than the Report Bug feature.

How's that for taking ownership?

Hi Essence! The reason for that redirect was that someone named an object with Javascript code, which gave them the ability to change the link location for the Land button on the website. That security hole is fixed. I want to assure everyone that no personal information, passwords, credit card information or anything of that type is ever passed from the login page to the next page. The login page asks an internal page whether the password and user name is correct, and then allows the person to go on to the next page. Whoever made the link change made Homes.com the next page in the URL.

It seems they were only playing around with a flaw in our site, and did not have any malicious intent. Nevertheless, we've plugged up that hole. We're also combing over the site, looking for other places residents could inject code, and taking appropriate action.

also like to mention that IRC is not secure and that your IP will be visible to all

Right, but there's just that sticky issue someone mentioned above: phishing. There wasn't much time to come up with a phishing exploit, because you responded quickly, but someone still could have done it. All they had to do was make a little piece of javascript that redirected a person to another page on another server when they click "my account" (or land, as happened), and make the page look like a Second Life login page. People might unknowingly have supplied their Second Life login and password. That is why this is serious. It sounded to me like Loki did provide his username and password to someone.

I think it is a bit of a disservice for the Lindens to continute to downplay this. If anybody has recently seen odd behaviour from the secondlife.com website such as off-site page redirects or the login page unexpectedly popping up, I think it's a good idea to change your password. It's probably a good idea to change your password periodically anyway.

There was almost 18 hours between the time I first posted and when it was brought to the Lindens attention on IRC. Plenty of time to come up with a mock login page and phish a few passwords. Fortunately, Brent made short order of the bug once it was brought to his attention.

I don't believe much happened with the exploit during those 18 hours, except for a few people having fun "testing" the bug. Maybe too much fun!

It's not this 18 hour window that's most worrisome. From Loki's account, it appears he was phished before that. It also appears this has been happening for some time. I can only assume the would be hacker was either just having some fun, or was taking his time to better cover his tracks.