Second Life Forums Archive - possible, slight sercurity flaw on SL for Mac

Dianne Mechanique

Back from the Dead

Join date: 28 Mar 2005

Posts: 2,648

07-07-2005 16:04

Maybe this has been noted previously, but I was checking the library files on my OS-X installation of SL and there is a folder that is created each time you log on labelled with your SL name. There was one for me and one for my two alts, each with our names on them.

The bad part, is that there were a lot of *other* folders, apparently from every time I mis-spelled my login, and the problem with that is that sometimes if the window is not frontmost when you start typing you end up typing your password in one of the name windows. So right on my HD (apparently for two months or more), without my knowledge, I have several folders emblazoned with my "secret" password.

I know this is kinda my fault for foolishly mistyping my own name. I also live alone and no one else uses my computer, so no problem for me...

but this is pretty silly coding isn't it?

Suppose I lived with other people or had kids? I know this is a slightly trivial compliaint, but isn't there a better solution than creating a folder with whatever is typed each time?

.

_____________________

.
black
art furniture & classic clothing
===================
Black in Neufreistadt
Black @ ONE
Black @ www.SLBoutique.com

.

Enabran Templar

Capitalist Pig

Join date: 26 Aug 2004

Posts: 4,506

07-07-2005 16:15

Interesting. I use the save my password checkbox, so this doesn't happen to me. There are a few misspelled logins there, though.

_____________________

From: Hiro Pendragon

Furthermore, as Second Life goes to the Metaverse, and this becomes an open platform, Linden Lab risks lawsuit in court and [attachment culling] will, I repeat WILL be reverse in court.

Second Life Forums: Who needs Reason when you can use bold tags?

Ulrika Zugzwang

Magnanimous in Victory

Join date: 10 Jun 2004

Posts: 6,382

07-07-2005 16:51

From: Dianne Mechanique

The bad part, is that there were a lot of *other* folders, apparently from every time I mis-spelled my login, and the problem with that is that sometimes if the window is not frontmost when you start typing you end up typing your password in one of the name windows. So right on my HD (apparently for two months or more), without my knowledge, I have several folders emblazoned with my "secret" password.

Good catch!

I'll check mine as soon as I get home.

~Ulrika~

_____________________

Chik-chik-chika-ahh

Marcos Fonzarelli

You are not Marcos

Join date: 26 Feb 2004

Posts: 748

07-07-2005 21:46

From: Dianne Mechanique

]
Suppose I lived with other people or had kids?
.

Then you should all have separate OSX logins.

Did you know you can create separate accounts for OSX that are password secured?

Ulrika Zugzwang

Magnanimous in Victory

Join date: 10 Jun 2004

Posts: 6,382

07-07-2005 23:06

From: Marcos Fonzarelli

Then you should all have separate OSX logins.

Did you know you can create separate accounts for OSX that are password secured?

Writing a text file with one's password contained in the name of that file is a security risk regardless of the separate safeguards an operating system provides. Now that it is public knowledge, it could be exploited by those who wish to gain entry to another's SL account.

~Ulrika~

_____________________

Chik-chik-chika-ahh

Dianne Mechanique

Back from the Dead

Join date: 28 Mar 2005

Posts: 2,648

07-07-2005 23:11

From: Marcos Fonzarelli

Then you should all have separate OSX logins.

Did you know you can create separate accounts for OSX that are password secured?

Well yeah, but the problem remains I think.

I have checked two of the three computers I use now, and they both had folders labeled with passwords on them. Collectively, all three of my passwords were exposed, one on one machine, and two on the other.

Also you can break into OS-X with a saftey pin practically, anyone who wanted to can easily get into your account on the machine.

All of this is quite unlikey, and relies on someone actively plotting to do such a thing, but it seems inadviseable to me to have a system that makes it possible at all.

.

_____________________

.
black
art furniture & classic clothing
===================
Black in Neufreistadt
Black @ ONE
Black @ www.SLBoutique.com

.

Kurt Zidane

Just Human

Join date: 1 Apr 2004

Posts: 636

07-08-2005 00:30

I knew sl created a folder with an avatars name, I did not relies it created a folder even if log-in failed. In the future; I will be more cashus when using a public computer.

FYI if you really want to protect your os x user account data, maybe you should enable encryption.

Pete Fats

Geek

Join date: 18 Apr 2003

Posts: 648

07-08-2005 03:26

The same thing happens in:

C:\Documents and Settings\[user]\Application Data\SecondLife

It would not be a bad idea to only create the dir after successful authentication.

_____________________

Dianne Mechanique

Back from the Dead

Join date: 28 Mar 2005

Posts: 2,648

07-08-2005 08:26

From: Pete Fats

The same thing happens in:

C:\Documents and Settings\[user]\Application Data\SecondLife

It would be a bad idea to only create the dir after successful authentication.

I am not sure if there is an obvious way around it either, but I had to point it out once I saw it.

.

_____________________

.
black
art furniture & classic clothing
===================
Black in Neufreistadt
Black @ ONE
Black @ www.SLBoutique.com

.

ArchTx Edo

Mystic/Artist/Architect

Join date: 13 Feb 2005

Posts: 1,993

07-14-2005 07:58

From: Dianne Mechanique

I am not sure if there is an obvious way around it either, but I had to point it out once I saw it.

.

Thanks Diane this is much appreciated.

_____________________

VRchitecture Model Homes at http://slurl.com/secondlife/Shona/60/220/30
http://www.slexchange.com/modules.php?name=Marketplace&MerchantID=2240
http://shop.onrez.com/Archtx_Edo

possible, slight sercurity flaw on SL for Mac
Dianne Mechanique Back from the Dead Join date: 28 Mar 2005 Posts: 2,648	07-07-2005 16:04 Maybe this has been noted previously, but I was checking the library files on my OS-X installation of SL and there is a folder that is created each time you log on labelled with your SL name. There was one for me and one for my two alts, each with our names on them. The bad part, is that there were a lot of other folders, apparently from every time I mis-spelled my login, and the problem with that is that sometimes if the window is not frontmost when you start typing you end up typing your password in one of the name windows. So right on my HD (apparently for two months or more), without my knowledge, I have several folders emblazoned with my "secret" password. I know this is kinda my fault for foolishly mistyping my own name. I also live alone and no one else uses my computer, so no problem for me... but this is pretty silly coding isn't it? Suppose I lived with other people or had kids? I know this is a slightly trivial compliaint, but isn't there a better solution than creating a folder with whatever is typed each time? . _____________________ . black art furniture & classic clothing =================== Black in Neufreistadt Black @ ONE Black @ www.SLBoutique.com .
Enabran Templar Capitalist Pig Join date: 26 Aug 2004 Posts: 4,506	07-07-2005 16:15 Interesting. I use the save my password checkbox, so this doesn't happen to me. There are a few misspelled logins there, though. _____________________ From: Hiro Pendragon Furthermore, as Second Life goes to the Metaverse, and this becomes an open platform, Linden Lab risks lawsuit in court and [attachment culling] will, I repeat WILL be reverse in court. Second Life Forums: Who needs Reason when you can use bold tags?
Ulrika Zugzwang Magnanimous in Victory Join date: 10 Jun 2004 Posts: 6,382	07-07-2005 16:51 From: Dianne Mechanique The bad part, is that there were a lot of other folders, apparently from every time I mis-spelled my login, and the problem with that is that sometimes if the window is not frontmost when you start typing you end up typing your password in one of the name windows. So right on my HD (apparently for two months or more), without my knowledge, I have several folders emblazoned with my "secret" password. Good catch! I'll check mine as soon as I get home. ~Ulrika~ _____________________ Chik-chik-chika-ahh
Marcos Fonzarelli You are not Marcos Join date: 26 Feb 2004 Posts: 748	07-07-2005 21:46 From: Dianne Mechanique ] Suppose I lived with other people or had kids? . Then you should all have separate OSX logins. Did you know you can create separate accounts for OSX that are password secured?
Ulrika Zugzwang Magnanimous in Victory Join date: 10 Jun 2004 Posts: 6,382	07-07-2005 23:06 From: Marcos Fonzarelli Then you should all have separate OSX logins. Did you know you can create separate accounts for OSX that are password secured? Writing a text file with one's password contained in the name of that file is a security risk regardless of the separate safeguards an operating system provides. Now that it is public knowledge, it could be exploited by those who wish to gain entry to another's SL account. ~Ulrika~ _____________________ Chik-chik-chika-ahh
Dianne Mechanique Back from the Dead Join date: 28 Mar 2005 Posts: 2,648	07-07-2005 23:11 From: Marcos Fonzarelli Then you should all have separate OSX logins. Did you know you can create separate accounts for OSX that are password secured? Well yeah, but the problem remains I think. I have checked two of the three computers I use now, and they both had folders labeled with passwords on them. Collectively, all three of my passwords were exposed, one on one machine, and two on the other. Also you can break into OS-X with a saftey pin practically, anyone who wanted to can easily get into your account on the machine. All of this is quite unlikey, and relies on someone actively plotting to do such a thing, but it seems inadviseable to me to have a system that makes it possible at all. . _____________________ . black art furniture & classic clothing =================== Black in Neufreistadt Black @ ONE Black @ www.SLBoutique.com .
Kurt Zidane Just Human Join date: 1 Apr 2004 Posts: 636	07-08-2005 00:30 I knew sl created a folder with an avatars name, I did not relies it created a folder even if log-in failed. In the future; I will be more cashus when using a public computer. FYI if you really want to protect your os x user account data, maybe you should enable encryption.
Pete Fats Geek Join date: 18 Apr 2003 Posts: 648	07-08-2005 03:26 The same thing happens in: C:\Documents and Settings\[user]\Application Data\SecondLife It would not be a bad idea to only create the dir after successful authentication. _____________________
Dianne Mechanique Back from the Dead Join date: 28 Mar 2005 Posts: 2,648	07-08-2005 08:26 From: Pete Fats The same thing happens in: C:\Documents and Settings\[user]\Application Data\SecondLife It would be a bad idea to only create the dir after successful authentication. I am not sure if there is an obvious way around it either, but I had to point it out once I saw it. . _____________________ . black art furniture & classic clothing =================== Black in Neufreistadt Black @ ONE Black @ www.SLBoutique.com .
ArchTx Edo Mystic/Artist/Architect Join date: 13 Feb 2005 Posts: 1,993	07-14-2005 07:58 From: Dianne Mechanique I am not sure if there is an obvious way around it either, but I had to point it out once I saw it. . Thanks Diane this is much appreciated. _____________________ VRchitecture Model Homes at http://slurl.com/secondlife/Shona/60/220/30 http://www.slexchange.com/modules.php?name=Marketplace&MerchantID=2240 http://shop.onrez.com/Archtx_Edo

Welcome to the Second Life Forums Archive

possible, slight sercurity flaw on SL for Mac