Second Life Forums Archive - Fast Pay "Exploit"

Nepenthes Ixchel

Broadly Offended.

Join date: 6 Dec 2005

Posts: 696

04-29-2006 02:42

From: Adriana Caligari

Which part of "READ the thread before replying" did you not understand ?

I have repeatedly said "I will not disclose what it is"

If you have difficulty with that I can translate it into the language of your choice.

Translate it into LSL please. Then we can all see what the "bug" is, and decide for ourselves if it really is a bug or just a bunch of people getting burned by shoddy programming practices.

Eloise Pasteur

Curious Individual

Join date: 14 Jul 2004

Posts: 1,952

04-29-2006 02:53

If you would like to play the word game I refer you to your first post in this thread (post #16).

You don't specify an exploit, you state "the fault' - refering according to the rules of English grammar to the fault discussed previous, which is a fault that I later referred to (post #24)and you said specifically (in post #25) is a different topic.

You've driven me to write a contrary and argumentative post, after biting my lips several times and not contributing to the general level of hostility, so I for one think that regardless of the actual status of this bug Strife is in the right to warn you for trolling.

And regardless of the status of the bug it's still shoddy coding, a very simple bit of coding works around it.

Whilst we're being pedantic: You're also referring to llFastPay() in post #25 a function that I strongly suspect isn't there, certainly it's hard to find in the wiki. I assumed you meant llSetPayPrice, but I'm no longer so sure.

Strife Onizuka

Moonchild

Join date: 3 Mar 2004

Posts: 5,887

04-29-2006 02:58

I think I just found a different bug.

_____________________

Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey

Adriana Caligari

Registered User

Join date: 21 Apr 2005

Posts: 458

04-29-2006 05:06

Forum Guidelines
a post with an intentionally contrary opinion

From: Strife Onizuka

The current behavior doesn't have any bugs in it.

From: Strife Onizuka

I think I just found a different bug.

Burnman Bedlam

Business Person

Join date: 28 Jan 2006

Posts: 1,080

04-29-2006 06:04

Why is a moderator arguing on the forums?

_____________________

Burnman Bedlam
http://theburnman.com

Not happy about Linden Labs purchase of XStreet (formerly SLX) and OnRez. Will this mean LL will ban resident run online shoping outlets in favor of their own?

Yumi Murakami

DoIt!AttachTheEarOfACat!

Join date: 27 Sep 2005

Posts: 6,860

04-29-2006 08:02

Adriana, Strife - do either of your bugs require the debug menu to be open?

Adriana Caligari

Registered User

Join date: 21 Apr 2005

Posts: 458

04-29-2006 08:53

No debug required - standard SL is enough

Lex Neva

wears dorky glasses

Join date: 27 Nov 2004

Posts: 1,361

04-29-2006 09:15

This is probably not what Adriana is talking about, but I bet with a minor hack or two, you could replace all of the pay buttons in the client with $1 buttons, which would let you exploit vendors that don't check the pay price.

I think we've pretty much gotten to the bottom of this, even if we had to rip it out of Adriana. Not only is it possible to change the "current item" of a poorly scripted vendor to get an expensive item for cheap, it seems like there's also some way "with standard SL" to change the value of a pay window.... say maybe opening the pay dialog, paying someone $2 by entering it into the box, and then maybe that $2 is remembered even though it's not visible? I dunno. That just popped into my head.

Anyway, at this point, now we have a moderator and a dramastirrer engaging in a flamewar, which is pretty unproductive... Strife, I don't feel you have the need to justify yourself. About all that will come from this is that there's an exploit that can be fixed by good coding practices (always check the value in a pay event). If I could lock this thread, I would.

Haravikk Mistral

Registered User

Join date: 8 Oct 2005

Posts: 2,482

04-29-2006 09:37

I've had it before where the llPayPrice() window doesn't load completely, if you managed to catch it while it still has the default buttons then you could easily click and send a request that the vendor isn't expecting.

Gigs Taggart

The Invisible Hand

Join date: 12 Feb 2006

Posts: 406

04-29-2006 11:35

On the plus side, at least people are beating the hell out of the pay box, maybe we'll find 5 new bugs that should be fixed.

Strife Onizuka

Moonchild

Join date: 3 Mar 2004

Posts: 5,887

04-29-2006 13:11

Actualy the issue I found isn't the debug menu Edit UI (i managed to crash my client playing with it). It's actualy a totaly different issue (a design oversight; fortunately the percentage of the population who are susceptible is very small). I have reported it as an exploit.

_____________________

Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey

Adriana Caligari

Registered User

Join date: 21 Apr 2005

Posts: 458

04-29-2006 13:15

Well tell us about it then - or are you going to be irresponsible too and not divulge vital information to scriptors.

Strife Onizuka

Moonchild

Join date: 3 Mar 2004

Posts: 5,887

04-29-2006 13:27

It's a different type of exploit. Vender writers need not worry about it. Vender owners are best not knowing about it. Two standard deviations of the population it does not apply to.

_____________________

Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey

Rodrick Harrington

Registered User

Join date: 9 Jul 2005

Posts: 150

04-29-2006 13:31

wow, from what I get the idea is that it's possible to use the fastpay dialog to pay something other than what llSetPayPrice() specifies, or avoid it altogether. Again to fix this always check your payment before doing anything with it, and have money events in states where it's not needed and refund in them with an explanation. All simple things, easy enough to say Adrianna w/o divulging details about how to do the expoit. Yes that could be a bug in llSetPayPrice() if it's possible to circumvent the function call, and in that case calling it a bug is fine. You can divulge a bug and how to protect yourself against it without giving too much details, but repeatedly saying "there is a bug, JEVN has avoided it and it's been reported, but I won't tell you anything," is not conductive to a discussion. That's where the trolling comment came from. Before you go off on me I have read the entire thread, and what I got out of it was much along the lines of taunting us with information that's vital to safe business here. What came out of it after Robin's answer was "this is how you protect yourself" and the answer was something we should be doing anyway due to other expoits to the fastpay system. Again there might be a bug, but it wouldn't be a problem if we are doing good coding practices anyway.

If there is any other information than what I've gleaned from this thread please add that (good information, like "you should also do this . . . "

My recommendation from a forum moderator for many forums for many years would be to lock this thread in a short time, create a new thread with pertinent information (and post on wiki) and let this flamage die. (would also be nice to have someone else lock is as Strife is in the middle of it, makes it look less than professional)

Logan Bauer

Inept Adept

Join date: 13 Jun 2004

Posts: 2,237

04-29-2006 13:34

I wish I could hand everyone here a blank check. I'd write, in pencil, "One Dollar" under the amount, lightly enough that it could be very easily erased. Then I'd scream to the bank that their checks are buggy when I found my account empty.

Adriana Caligari

Registered User

Join date: 21 Apr 2005

Posts: 458

04-29-2006 13:54

From: Strife Onizuka

It's a different type of exploit. Vender writers need not worry about it. Vender owners are best not knowing about it. Two standard deviations of the population it does not apply to.

So tell us about it

If we need not worry about it - in your oppinion tell us and let us decide ourselves.

Surely we are all old enough to decide this for ourselves.

And vendor owners are best not knowing about it ?

What is this - you are deciding what vendor owners should and shouldn't know about ?

Are you dangling a carrot before us - or just lording over us ?

( I use other peoples words used against me for this verbage - as I would like you to know what it feels like )

Strife Onizuka

Moonchild

Join date: 3 Mar 2004

Posts: 5,887

04-29-2006 14:09

I've notified LL both by bug report & IM, and I've taken steps to notify the portion of the community who are in the outer starndard deviations. I expect it will get fixed monday or tuesday; though I haven't heard back from LL.

_____________________

Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey

Adriana Caligari

Registered User

Join date: 21 Apr 2005

Posts: 458

04-29-2006 14:20

Funny

Thats exactly what i did - notified LL ( bug and IM ) - notified the vendor sellers I knew of, and notified those people i know to trust.

Yet still I got a s**t load of abuse.

So tell us -

It is your responsibility as a moderator to inform the community at large what the issues and problems are - Public dissemination of security leaks has been proven to be in the publics'm interest.

( I seem to remember all of that to )

In fact if you substitute your name for mine - and mine for a few other peoples we are back to square one on the whole business.

At which stage someone comes in and accuses you of trolling for repeatedly answering a question in the negative.

Lex Neva

wears dorky glasses

Join date: 27 Nov 2004

Posts: 1,361

04-29-2006 14:38

Alright, folks. I've figured out what Adriana knows, I think. If I don't have the same exploit here, then I found another similar one.

My method allows you to pay a vendor that uses llSetPayPrice() any amount you want to, disregarding the llSetPayPrice() limitations. It doesn't require catching the dialog before it's loaded. It's simple. People could easily stumble upon it by accident. It doesn't require any creativity or complicated "hacking". It's simply a bug in SL. I've reported it just in case mine's different, but I highly doubt it is.

The exploitative nature of the bug is completely avoidable by always, always checking the results of a money event. I'd even be so forward as to say that any scripter that trusted llSetPayPrice() isn't one you want to buy a vendor script/system from.

I'm not going to post it here, but I'll tell individuals if they IM me and I'm convinced they're not going to use it for evil. IM me in world and we'll talk.

Now can we bury this?

Ordinal Malaprop

really very ordinary

Join date: 9 Sep 2005

Posts: 4,607

04-29-2006 14:45

Hah, my vendors always check the amount on money() because I'm never sure whether I've screwed up somewhere or not, and I don't trust myself. I suppose there are some rewards to self-deprecation.

Adriana Caligari

Registered User

Join date: 21 Apr 2005

Posts: 458

04-29-2006 14:57

From: Lex Neva

Let's just make things clear here -- You're telling people "I know something you don't know", over and over. You're telling scripters this, the people who can do a lot of work to fix the problem that you seem to know. You're lording it over us. You're dangling a carrot in front of our faces. You're telling us that there's some kind of horrible exploit out there, but you're not telling us enough details to fix it. That's the kind of thing that makes people like us lose sleep at night.

And no matter how much we beg you for more information, you pull a "Oops, I've said too much" act and clam up. That's unacceptable. You've only accomplished making a lot of people angry. If you never intended to give any details, you shouldn't have hinted at them. In that respect, all you've accomplished is to spark some pretty heated posts.

There's plenty of experience out in the wilds of the internet that shows that full disclosure is the way to prevent serious damage in a situation like this. Otherwise, only a few people will know how the exploit works, and if a sufficiently evil person learns, they can organize a wide-scale misuses of the exploit. At this point, if that happens, my feeling is that you will be in some degree ethically responsible for the damage, because you held back the information that would have helped us prevent the damage before it was inflicted. As it stands now, all we know is that SOMETHING is wrong. What do we do, take our vendors offline?

Certainly some evil people may read your explanation here... but a lot of good people will, because you've most definitely got our attention now. If linden lab has specifically asked you to be quiet, let us know. Otherwise, I urge you to tell us what you know so that we can start to mitigate the damage. If you don't tell us, evil people will find out anyway, and we'll be at their mercy because we didn't know how to fix the exploit.

Sorry - did you say something ?

Prometheus Deckard

Registered User

Join date: 24 May 2005

Posts: 23

04-29-2006 15:01

I've been kind of busy as of late, and haven't had time to keep up with this topic, so I'm not sure if the 'exploit' has been told to the public. I believe I know the problem, although I'm with anyone who says it shouldn't be said. There would be more problems if everyone knew. All I will say, which I'm sure has been said before, if you're using llSetPayPrice, make sure the amount paid is the same as the amount set. (Way I'm thinking that it can be exploited does not involve any hacking of client or anything else that isn't allowed, so this may even be a 'legal bug')

CODE


// Set 'amount_to_recieve' somewhere else
money(key id, integer amount)
{
      if(amount == amount_to_recieve)
      {
            // Do whatever it is that needs doing
      }
      else
      {
            llInstantMessage(llGetOwner(), "Your vendor at " + (string)llGetRegionName() + " <" + (string)llGetPos() + ">. May have been hacked by " + llKey2Name(llGetObjectOwner(id)));
      }
}

(Sorry if some commands aren't correct, wrote this on the forums right now, so commands didn't turn red if they were correct)

I've given enough clues as to how I think it may be done.

Hope this helps, if not, sorry for taking up some time

Nepenthes Ixchel

Broadly Offended.

Join date: 6 Dec 2005

Posts: 696

04-29-2006 16:53

From: Lex Neva

My method allows you to pay a vendor that uses llSetPayPrice() any amount you want to,

Is it a bug s the user interface, or a bug in LSL? I've always considered llSetPayPrice() to be a suggestion, since it relies on the client honoring the values it sends. (And if someone malicious is trying to steal your items, you obviously can't trust thier client)

Lex Neva

wears dorky glasses

Join date: 27 Nov 2004

Posts: 1,361

04-29-2006 17:03

From: Nepenthes Ixchel

Is it a bug s the user interface, or a bug in LSL? I've always considered llSetPayPrice() to be a suggestion, since it relies on the client honoring the values it sends. (And if someone malicious is trying to steal your items, you obviously can't trust thier client)

It's a UI bug, a way of getting around llSetPayPrice()'s suggestions. If you wanna know, just IM and ask

I'm not going to withhold it, but I don't want to post it right out in the open. That's not to say I think this exploit is anyone's fault but the scripters of affected vendors.

Kokoro Fasching

Pixie Dust and Sugar

Join date: 23 Dec 2005

Posts: 949

04-29-2006 17:08

From: Strife Onizuka

I've notified LL both by bug report & IM, and I've taken steps to notify the portion of the community who are in the outer starndard deviations. I expect it will get fixed monday or tuesday; though I haven't heard back from LL.

Interesting.. I belive you owe Adriana an apology then. You did the EXACT same as she did, but you gave her a ration of shyt. Own up to your mistake and apologize!

Fast Pay "Exploit"
Nepenthes Ixchel Broadly Offended. Join date: 6 Dec 2005 Posts: 696	04-29-2006 02:42 From: Adriana Caligari Which part of "READ the thread before replying" did you not understand ? I have repeatedly said "I will not disclose what it is" If you have difficulty with that I can translate it into the language of your choice. Translate it into LSL please. Then we can all see what the "bug" is, and decide for ourselves if it really is a bug or just a bunch of people getting burned by shoddy programming practices.
Eloise Pasteur Curious Individual Join date: 14 Jul 2004 Posts: 1,952	04-29-2006 02:53 If you would like to play the word game I refer you to your first post in this thread (post #16). You don't specify an exploit, you state "the fault' - refering according to the rules of English grammar to the fault discussed previous, which is a fault that I later referred to (post #24)and you said specifically (in post #25) is a different topic. You've driven me to write a contrary and argumentative post, after biting my lips several times and not contributing to the general level of hostility, so I for one think that regardless of the actual status of this bug Strife is in the right to warn you for trolling. And regardless of the status of the bug it's still shoddy coding, a very simple bit of coding works around it. Whilst we're being pedantic: You're also referring to llFastPay() in post #25 a function that I strongly suspect isn't there, certainly it's hard to find in the wiki. I assumed you meant llSetPayPrice, but I'm no longer so sure.
Strife Onizuka Moonchild Join date: 3 Mar 2004 Posts: 5,887	04-29-2006 02:58 I think I just found a different bug. _____________________ Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river. - Cyril Connolly Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence. - James Nachtwey
Adriana Caligari Registered User Join date: 21 Apr 2005 Posts: 458	04-29-2006 05:06 Forum Guidelines a post with an intentionally contrary opinion From: Strife Onizuka The current behavior doesn't have any bugs in it. From: Strife Onizuka I think I just found a different bug.
Burnman Bedlam Business Person Join date: 28 Jan 2006 Posts: 1,080	04-29-2006 06:04 Why is a moderator arguing on the forums? _____________________ Burnman Bedlam http://theburnman.com Not happy about Linden Labs purchase of XStreet (formerly SLX) and OnRez. Will this mean LL will ban resident run online shoping outlets in favor of their own?
Yumi Murakami DoIt!AttachTheEarOfACat! Join date: 27 Sep 2005 Posts: 6,860	04-29-2006 08:02 Adriana, Strife - do either of your bugs require the debug menu to be open?
Adriana Caligari Registered User Join date: 21 Apr 2005 Posts: 458	04-29-2006 08:53 No debug required - standard SL is enough
Lex Neva wears dorky glasses Join date: 27 Nov 2004 Posts: 1,361	04-29-2006 09:15 This is probably not what Adriana is talking about, but I bet with a minor hack or two, you could replace all of the pay buttons in the client with $1 buttons, which would let you exploit vendors that don't check the pay price. I think we've pretty much gotten to the bottom of this, even if we had to rip it out of Adriana. Not only is it possible to change the "current item" of a poorly scripted vendor to get an expensive item for cheap, it seems like there's also some way "with standard SL" to change the value of a pay window.... say maybe opening the pay dialog, paying someone $2 by entering it into the box, and then maybe that $2 is remembered even though it's not visible? I dunno. That just popped into my head. Anyway, at this point, now we have a moderator and a dramastirrer engaging in a flamewar, which is pretty unproductive... Strife, I don't feel you have the need to justify yourself. About all that will come from this is that there's an exploit that can be fixed by good coding practices (always check the value in a pay event). If I could lock this thread, I would.
Haravikk Mistral Registered User Join date: 8 Oct 2005 Posts: 2,482	04-29-2006 09:37 I've had it before where the llPayPrice() window doesn't load completely, if you managed to catch it while it still has the default buttons then you could easily click and send a request that the vendor isn't expecting.
Gigs Taggart The Invisible Hand Join date: 12 Feb 2006 Posts: 406	04-29-2006 11:35 On the plus side, at least people are beating the hell out of the pay box, maybe we'll find 5 new bugs that should be fixed.
Strife Onizuka Moonchild Join date: 3 Mar 2004 Posts: 5,887	04-29-2006 13:11 Actualy the issue I found isn't the debug menu Edit UI (i managed to crash my client playing with it). It's actualy a totaly different issue (a design oversight; fortunately the percentage of the population who are susceptible is very small). I have reported it as an exploit. _____________________ Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river. - Cyril Connolly Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence. - James Nachtwey
Adriana Caligari Registered User Join date: 21 Apr 2005 Posts: 458	04-29-2006 13:15 Well tell us about it then - or are you going to be irresponsible too and not divulge vital information to scriptors.
Strife Onizuka Moonchild Join date: 3 Mar 2004 Posts: 5,887	04-29-2006 13:27 It's a different type of exploit. Vender writers need not worry about it. Vender owners are best not knowing about it. Two standard deviations of the population it does not apply to. _____________________ Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river. - Cyril Connolly Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence. - James Nachtwey
Rodrick Harrington Registered User Join date: 9 Jul 2005 Posts: 150	04-29-2006 13:31 wow, from what I get the idea is that it's possible to use the fastpay dialog to pay something other than what llSetPayPrice() specifies, or avoid it altogether. Again to fix this always check your payment before doing anything with it, and have money events in states where it's not needed and refund in them with an explanation. All simple things, easy enough to say Adrianna w/o divulging details about how to do the expoit. Yes that could be a bug in llSetPayPrice() if it's possible to circumvent the function call, and in that case calling it a bug is fine. You can divulge a bug *and* how to protect yourself against it without giving too much details, but repeatedly saying "there is a bug, JEVN has avoided it and it's been reported, but I won't tell you anything," is not conductive to a discussion. That's where the trolling comment came from. Before you go off on me I have read the entire thread, and what I got out of it was much along the lines of taunting us with information that's vital to safe business here. What came out of it after Robin's answer was "this is how you protect yourself" and the answer was something we should be doing anyway due to other expoits to the fastpay system. Again there might be a bug, but it wouldn't be a problem if we are doing good coding practices anyway. If there is any other information than what I've gleaned from this thread please add that (good information, like "you should also do this . . . " My recommendation from a forum moderator for many forums for many years would be to lock this thread in a short time, create a new thread with pertinent information (and post on wiki) and let this flamage die. (would also be nice to have someone else lock is as Strife is in the middle of it, makes it look less than professional)
Logan Bauer Inept Adept Join date: 13 Jun 2004 Posts: 2,237	04-29-2006 13:34 I wish I could hand everyone here a blank check. I'd write, in pencil, "One Dollar" under the amount, lightly enough that it could be very easily erased. Then I'd scream to the bank that their checks are buggy when I found my account empty.
Adriana Caligari Registered User Join date: 21 Apr 2005 Posts: 458	04-29-2006 13:54 From: Strife Onizuka It's a different type of exploit. Vender writers need not worry about it. Vender owners are best not knowing about it. Two standard deviations of the population it does not apply to. So tell us about it If we need not worry about it - in your oppinion tell us and let us decide ourselves. Surely we are all old enough to decide this for ourselves. And vendor owners are best not knowing about it ? What is this - you are deciding what vendor owners should and shouldn't know about ? Are you dangling a carrot before us - or just lording over us ? ( I use other peoples words used against me for this verbage - as I would like you to know what it feels like )
Strife Onizuka Moonchild Join date: 3 Mar 2004 Posts: 5,887	04-29-2006 14:09 I've notified LL both by bug report & IM, and I've taken steps to notify the portion of the community who are in the outer starndard deviations. I expect it will get fixed monday or tuesday; though I haven't heard back from LL. _____________________ Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river. - Cyril Connolly Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence. - James Nachtwey
Adriana Caligari Registered User Join date: 21 Apr 2005 Posts: 458	04-29-2006 14:20 Funny Thats exactly what i did - notified LL ( bug and IM ) - notified the vendor sellers I knew of, and notified those people i know to trust. Yet still I got a s**t load of abuse. So tell us - It is your responsibility as a moderator to inform the community at large what the issues and problems are - Public dissemination of security leaks has been proven to be in the publics'm interest. ( I seem to remember all of that to ) In fact if you substitute your name for mine - and mine for a few other peoples we are back to square one on the whole business. At which stage someone comes in and accuses you of trolling for repeatedly answering a question in the negative.
Lex Neva wears dorky glasses Join date: 27 Nov 2004 Posts: 1,361	04-29-2006 14:38 Alright, folks. I've figured out what Adriana knows, I think. If I don't have the same exploit here, then I found another similar one. My method allows you to pay a vendor that uses llSetPayPrice() any amount you want to, disregarding the llSetPayPrice() limitations. It doesn't require catching the dialog before it's loaded. It's simple. People could easily stumble upon it by accident. It doesn't require any creativity or complicated "hacking". It's simply a bug in SL. I've reported it just in case mine's different, but I highly doubt it is. The exploitative nature of the bug is completely avoidable by always, always checking the results of a money event. I'd even be so forward as to say that any scripter that trusted llSetPayPrice() isn't one you want to buy a vendor script/system from. I'm not going to post it here, but I'll tell individuals if they IM me and I'm convinced they're not going to use it for evil. IM me in world and we'll talk. Now can we bury this?
Ordinal Malaprop really very ordinary Join date: 9 Sep 2005 Posts: 4,607	04-29-2006 14:45 Hah, my vendors always check the amount on money() because I'm never sure whether I've screwed up somewhere or not, and I don't trust myself. I suppose there are some rewards to self-deprecation.
Adriana Caligari Registered User Join date: 21 Apr 2005 Posts: 458	04-29-2006 14:57 From: Lex Neva Let's just make things clear here -- You're telling people "I know something you don't know", over and over. You're telling scripters this, the people who can do a lot of work to fix the problem that you seem to know. You're lording it over us. You're dangling a carrot in front of our faces. You're telling us that there's some kind of horrible exploit out there, but you're not telling us enough details to fix it. That's the kind of thing that makes people like us lose sleep at night. And no matter how much we beg you for more information, you pull a "Oops, I've said too much" act and clam up. That's unacceptable. You've only accomplished making a lot of people angry. If you never intended to give any details, you shouldn't have hinted at them. In that respect, all you've accomplished is to spark some pretty heated posts. There's plenty of experience out in the wilds of the internet that shows that full disclosure is the way to prevent serious damage in a situation like this. Otherwise, only a few people will know how the exploit works, and if a sufficiently evil person learns, they can organize a wide-scale misuses of the exploit. At this point, if that happens, my feeling is that you will be in some degree ethically responsible for the damage, because you held back the information that would have helped us prevent the damage before it was inflicted. As it stands now, all we know is that SOMETHING is wrong. What do we do, take our vendors offline? Certainly some evil people may read your explanation here... but a lot of good people will, because you've most definitely got our attention now. If linden lab has specifically asked you to be quiet, let us know. Otherwise, I urge you to tell us what you know so that we can start to mitigate the damage. If you don't tell us, evil people will find out anyway, and we'll be at their mercy because we didn't know how to fix the exploit. Sorry - did you say something ?
Prometheus Deckard Registered User Join date: 24 May 2005 Posts: 23	04-29-2006 15:01 I've been kind of busy as of late, and haven't had time to keep up with this topic, so I'm not sure if the 'exploit' has been told to the public. I believe I know the problem, although I'm with anyone who says it shouldn't be said. There would be more problems if everyone knew. All I will say, which I'm sure has been said before, if you're using llSetPayPrice, make sure the amount paid is the same as the amount set. (Way I'm thinking that it can be exploited does not involve any hacking of client or anything else that isn't allowed, so this may even be a 'legal bug') CODE // Set 'amount_to_recieve' somewhere else money(key id, integer amount) { if(amount == amount_to_recieve) { // Do whatever it is that needs doing } else { llInstantMessage(llGetOwner(), "Your vendor at " + (string)llGetRegionName() + " <" + (string)llGetPos() + ">. May have been hacked by " + llKey2Name(llGetObjectOwner(id))); } } (Sorry if some commands aren't correct, wrote this on the forums right now, so commands didn't turn red if they were correct) I've given enough clues as to how I think it may be done. Hope this helps, if not, sorry for taking up some time
Nepenthes Ixchel Broadly Offended. Join date: 6 Dec 2005 Posts: 696	04-29-2006 16:53 From: Lex Neva My method allows you to pay a vendor that uses llSetPayPrice() any amount you want to, Is it a bug s the user interface, or a bug in LSL? I've always considered llSetPayPrice() to be a suggestion, since it relies on the client honoring the values it sends. (And if someone malicious is trying to steal your items, you obviously can't trust thier client)
Lex Neva wears dorky glasses Join date: 27 Nov 2004 Posts: 1,361	04-29-2006 17:03 From: Nepenthes Ixchel Is it a bug s the user interface, or a bug in LSL? I've always considered llSetPayPrice() to be a suggestion, since it relies on the client honoring the values it sends. (And if someone malicious is trying to steal your items, you obviously can't trust thier client) It's a UI bug, a way of getting around llSetPayPrice()'s suggestions. If you wanna know, just IM and ask I'm not going to withhold it, but I don't want to post it right out in the open. That's not to say I think this exploit is anyone's fault but the scripters of affected vendors.
Kokoro Fasching Pixie Dust and Sugar Join date: 23 Dec 2005 Posts: 949	04-29-2006 17:08 From: Strife Onizuka I've notified LL both by bug report & IM, and I've taken steps to notify the portion of the community who are in the outer starndard deviations. I expect it will get fixed monday or tuesday; though I haven't heard back from LL. Interesting.. I belive you owe Adriana an apology then. You did the EXACT same as she did, but you gave her a ration of shyt. Own up to your mistake and apologize!

Welcome to the Second Life Forums Archive

Fast Pay "Exploit"