Second Life Forums Archive - If you have any passwords stored in notecards, you'll want to change them.

Huns Valen

Don't PM me here.

Join date: 3 May 2003

Posts: 2,749

07-20-2005 17:47

JS has updated his lsl.zip file with source from my multivendor, as well as the configuration notecard. The notecard was protected, which tells me that notecards themselves are just as vulnerable as scripts. (Both access checks probably use the same code path.) The vendor is not a big deal - there's already a similar one (which actually has more features) posted in the scripting library. However, the notecard is an interesting piece, since it proves that the exploit exposed notecards as well as scripts.

If you have notecards with sensitive passwords in them, I advise you to change your passwords immediately and take any objects containing them into inventory.

I am still of the opinion that this exploit has not been permanently fixed, and advise extreme caution for anyone who wishes to protect their assets. I may be mistaken about this and I hope that I am, but I feel it is necessary to voice what I suspect is true.

That is all...

_____________________

[ huns? || words || 1TBS KREW || VHI Aircraft || Whitepaper on Aircraft Physics ]

Make yourself and your objects immune to llPushObject().

Chip Midnight

ate my baby!

Join date: 1 May 2003

Posts: 10,231

07-20-2005 19:49

Thanks for the heads up, Huns.

_____________________

My other hobby:
www.live365.com/stations/chip_midnight

Adam Zaius

Deus

Join date: 9 Jan 2004

Posts: 1,483

07-20-2005 19:58

Just an additional note, storing secure info in Notecards is generally a bad idea.

Rip notecard out of object, place in an object you own, and use a llRequestNotecardLine() script to print it out for you.

-Adam

_____________________

Co-Founder / Lead Developer
GigasSecondServer

blaze Spinnaker

1/2 Serious

Join date: 12 Aug 2004

Posts: 5,898

07-20-2005 20:48

Yeah that whole ripping objects out of objects you don't have mod privileges on was a really really dumb idea. Who came up with that one?

It causes sooo much grief and keeps so much from getting built (like, try before buy) and probably has been a source of over half of the duplication hacks.

_____________________

Taken from The last paragraph on pg. 16 of Cory Ondrejka's paper "Changing Realities: User Creation, Communication, and Innovation in Digital Worlds :

"User-created content takes the idea of leveraging player opinions a step further by allowing them to effectively prototype new ideas and features. Developers can then measure which new concepts most improve the products and incorporate them into the game in future patches."

Adam Zaius

Deus

Join date: 9 Jan 2004

Posts: 1,483

07-20-2005 21:14

Regardless of it's value (and I will grant being able to pull out things has proved handy in the past), it's there now - and removing it will break things like people who sell boxed items (although again, they should be using a scripted box).

So, we are going to have to accept it - and take it into account when analysing security risks.

-Adam

_____________________

Co-Founder / Lead Developer
GigasSecondServer

Curtis Night

Registered User

Join date: 18 Apr 2005

Posts: 8

07-20-2005 21:15

For what purpose would someone put a password on an SL notecard?

Huns Valen

Don't PM me here.

Join date: 3 May 2003

Posts: 2,749

07-20-2005 23:52

From: Adam Zaius

Just an additional note, storing secure info in Notecards is generally a bad idea.

Rip notecard out of object, place in an object you own, and use a llRequestNotecardLine() script to print it out for you.

Yeah... I used it to configure a vendor that I owned. If I had ever got around to selling the vendor to others, they'd have had read/write access to the notecard anyhow.

From: Curtis Night

For what purpose would someone put a password on an SL notecard?

What if the object needed to talk to another and it was some kind of communication that needed to be authenticated? For example, some vendors don't actually have inventory - they send a message to a central repository, and the repository delivers the item. That is the kind of thing you'd want a password on.

_____________________

[ huns? || words || 1TBS KREW || VHI Aircraft || Whitepaper on Aircraft Physics ]

Make yourself and your objects immune to llPushObject().

Toneless Tomba

(Insert Witty Title Here)

Join date: 13 Oct 2004

Posts: 241

07-21-2005 09:40

Notecards which are not modifiable that can't be read by normal means can be read easily by llGetNotecardLine() like Adam said. But the case is you have to own that notecard. For someone storing a password in their own vendor should be ok because only the owner can read that notecard unless somebody somehow finds it's key. So if you don't want the next owner to know the contents of that notecard then don't use a notecard.

Huns Valen

Don't PM me here.

Join date: 3 May 2003

Posts: 2,749

07-21-2005 15:12

From: Toneless Tomba

Notecards which are not modifiable that can't be read by normal means can be read easily by llGetNotecardLine() like Adam said. But the case is you have to own that notecard. For someone storing a password in their own vendor should be ok because only the owner can read that notecard unless somebody somehow finds it's key. So if you don't want the next owner to know the contents of that notecard then don't use a notecard.

The hackers posted the contents of a notecard in MY vendor, which I never gave to anyone.

_____________________

[ huns? || words || 1TBS KREW || VHI Aircraft || Whitepaper on Aircraft Physics ]

Make yourself and your objects immune to llPushObject().

If you have any passwords stored in notecards, you'll want to change them.
Huns Valen Don't PM me here. Join date: 3 May 2003 Posts: 2,749	07-20-2005 17:47 JS has updated his lsl.zip file with source from my multivendor, as well as the configuration notecard. The notecard was protected, which tells me that notecards themselves are just as vulnerable as scripts. (Both access checks probably use the same code path.) The vendor is not a big deal - there's already a similar one (which actually has more features) posted in the scripting library. However, the notecard is an interesting piece, since it proves that the exploit exposed notecards as well as scripts. If you have notecards with sensitive passwords in them, I advise you to change your passwords immediately and take any objects containing them into inventory. I am still of the opinion that this exploit has not been permanently fixed, and advise extreme caution for anyone who wishes to protect their assets. I may be mistaken about this and I hope that I am, but I feel it is necessary to voice what I suspect is true. That is all... _____________________ [ huns? \|\| words \|\| 1TBS KREW \|\| VHI Aircraft \|\| Whitepaper on Aircraft Physics ] Make yourself and your objects immune to llPushObject().
Chip Midnight ate my baby! Join date: 1 May 2003 Posts: 10,231	07-20-2005 19:49 Thanks for the heads up, Huns. _____________________ My other hobby: www.live365.com/stations/chip_midnight
Adam Zaius Deus Join date: 9 Jan 2004 Posts: 1,483	07-20-2005 19:58 Just an additional note, storing secure info in Notecards is generally a bad idea. Rip notecard out of object, place in an object you own, and use a llRequestNotecardLine() script to print it out for you. -Adam _____________________ Co-Founder / Lead Developer GigasSecondServer
blaze Spinnaker 1/2 Serious Join date: 12 Aug 2004 Posts: 5,898	07-20-2005 20:48 Yeah that whole ripping objects out of objects you don't have mod privileges on was a really really dumb idea. Who came up with that one? It causes sooo much grief and keeps so much from getting built (like, try before buy) and probably has been a source of over half of the duplication hacks. _____________________ Taken from The last paragraph on pg. 16 of Cory Ondrejka's paper "Changing Realities: User Creation, Communication, and Innovation in Digital Worlds : "User-created content takes the idea of leveraging player opinions a step further by allowing them to effectively prototype new ideas and features. Developers can then measure which new concepts most improve the products and incorporate them into the game in future patches."
Adam Zaius Deus Join date: 9 Jan 2004 Posts: 1,483	07-20-2005 21:14 Regardless of it's value (and I will grant being able to pull out things has proved handy in the past), it's there now - and removing it will break things like people who sell boxed items (although again, they should be using a scripted box). So, we are going to have to accept it - and take it into account when analysing security risks. -Adam _____________________ Co-Founder / Lead Developer GigasSecondServer
Curtis Night Registered User Join date: 18 Apr 2005 Posts: 8	07-20-2005 21:15 For what purpose would someone put a password on an SL notecard?
Huns Valen Don't PM me here. Join date: 3 May 2003 Posts: 2,749	07-20-2005 23:52 From: Adam Zaius Just an additional note, storing secure info in Notecards is generally a bad idea. Rip notecard out of object, place in an object you own, and use a llRequestNotecardLine() script to print it out for you. Yeah... I used it to configure a vendor that I owned. If I had ever got around to selling the vendor to others, they'd have had read/write access to the notecard anyhow. From: Curtis Night For what purpose would someone put a password on an SL notecard? What if the object needed to talk to another and it was some kind of communication that needed to be authenticated? For example, some vendors don't actually have inventory - they send a message to a central repository, and the repository delivers the item. That is the kind of thing you'd want a password on. _____________________ [ huns? \|\| words \|\| 1TBS KREW \|\| VHI Aircraft \|\| Whitepaper on Aircraft Physics ] Make yourself and your objects immune to llPushObject().
Toneless Tomba (Insert Witty Title Here) Join date: 13 Oct 2004 Posts: 241	07-21-2005 09:40 Notecards which are not modifiable that can't be read by normal means can be read easily by llGetNotecardLine() like Adam said. But the case is you have to own that notecard. For someone storing a password in their own vendor should be ok because only the owner can read that notecard unless somebody somehow finds it's key. So if you don't want the next owner to know the contents of that notecard then don't use a notecard.
Huns Valen Don't PM me here. Join date: 3 May 2003 Posts: 2,749	07-21-2005 15:12 From: Toneless Tomba Notecards which are not modifiable that can't be read by normal means can be read easily by llGetNotecardLine() like Adam said. But the case is you have to own that notecard. For someone storing a password in their own vendor should be ok because only the owner can read that notecard unless somebody somehow finds it's key. So if you don't want the next owner to know the contents of that notecard then don't use a notecard. The hackers posted the contents of a notecard in MY vendor, which I never gave to anyone. _____________________ [ huns? \|\| words \|\| 1TBS KREW \|\| VHI Aircraft \|\| Whitepaper on Aircraft Physics ] Make yourself and your objects immune to llPushObject().

Welcome to the Second Life Forums Archive

If you have any passwords stored in notecards, you'll want to change them.