The Mercury News has a story where savvy security researchers have found a flaw in Second Life virtual world that allows them to strip a user’s character of all of its in-world money.
Charles Miller and Dino Dai Zovi, two experienced hackers, claim they have found a vulnerability in the way Second Life protects a user’s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars. But the risks for Linden Lab, the San Francisco operator of Second Life, are limited because the researchers say the flaw can be quickly patched.
Miller, a researcher at security firm Independent Security Evaluators in Baltimore, gained some notoriety this summer when he found a way to hack Apple’s iPhone. He said that he and Dai Zovi found the flaw by exploiting a known problem with Apple’s QuickTime movie playback software, which is used to play movies inside the virtual world. That QuickTime flaw was exposed on Monday and the pair completed their hack in a few days. That gave an opening to Dai Zovi and Miller, who had been mulling over Second Life security for months.
The exploit works because Second Life allows users to embed videos or pictures on their character’s or their virtual property. When someone comes nearby and is within view of the object, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the Second Life software to a web site. By exploiting the flaw in QuickTime, the hackers can direct the Second Life software to a malicious web site that then allows them to take over the Second Life avatar.
When we last tried to reach the page at ISE where the security problem is said to be explained in details the page http://www.securityevaluators.com/sl did not open.
In another story Swedish authorities said in January 2007 they would clamp down on Swedes earning money through Internet games such as Second Life.
Indeed, while Second Life may have started as a utopian world where gamers, geeks, and technophiles could gather and immerse themselves into the pure and innocent escapism of a genuine second life, the rocketing popularity of Linden Lab’s online world has now begun attracting the attentions of people that intent on destruction, and even violence, reports the Concorde Monitor.
Here are some recent incidents that happen at SecondLife’s and other virtual worlds around Internet.
- Australian broadcaster ABC has its luxury island turned into a crater by angry hackers.
- Worrying reports of rape and child abuse have started to gather around the supposedly idyllic existence to be ‘enjoyed’ in Second Life.
- The above mentioned rape incident, which took place earlier in 2007, caused outrage when with one virtual avatar sexually assaulted by another.
- The police in Belgium opened an investigation into, not who perpetrated said rape, but whether an actual crime had been committed.
- 17-year-old Dutch teenager was arrested this week on suspicion of stealing furniture worth £2,800 from a hotel room in the three-dimensional world Habbo Hotel, a children’s game that only exists on the internet.
- German authorities have also homed in on an incident of sexual abuse involving live images of a child avatar having simulated sex with an adult avatar.
- Virtual gangs killing off lone in-game players and stealing their wares, which are later sold on for real-world profit.
- Shanghai-based 41-year-old Legend of Mir 3 online gamer stabbing another cheating player repeatedly in the chest after he stole an in-game weapon reportedly worth some $850 USD.
- British cops will be going undercover in Second Life to investigate depictions of adult-child sex and track down pedophiles
All of this, of course, promotes the question of whether a virtual world such as Second Life should be governed by a virtual police force.
Independent Security Evaluators‘ mission is to provide the outside technical resources companies need to control their technology risk. The experts at ISE have vast experience in every facet of security. The team includes computer scientists, electrical engineers, and cryptographers. ISE experts have testified before Congress, served as expert witnesses, participated in creating standards, and evaluated systems for both government and private industry.
ISE researchers have published several influential books and dozens of scientific papers in the top refereed conferences and journals. They have also analyzed and helped repair several widely used commercial systems. ISE was formed to offer this expertise to the private sector.
On the other side, in respond to the security issues pointed out by the hackers, Joe Miller, VP, Linden Lab in San Francisco, CA has replied:
I want to reiterate that this is an Apple QuickTime issue, not a flaw inherent in Second Life, and as such, affects all platforms and browsers that use QT. Second Life remains a viable environment for conducting business, with a stable economy and the appropriate Resident and economic controls in place.
Linden Lab alerted all Second Life Residents of this exploit both on the official Linden Lab blog and at log-in on Friday afternoon. In addition, the Second Life community is doing a great job of spreading the word, and letting their fellow residents know about the potential issues surrounding the use of QT. I can assure you that no other affected platform is communicating with their customers as thoroughly as we are.
We have measures in place to deal with this type of exploited vulnerability – including the ability to log and track URLs, identify the attackers and take the appropriate measures, as well as making sure that affected Residents are reimbursed if they should lose any Linden dollars.
We’re hopeful Apple will remedy this problem as soon as possible, and we pledge to alert Residents as soon as the fix has been made.
According to the Second Life’s website, there were 6,491,898 residents in its alternative reality. Second Life, created by San Francisco technology company Linden Lab, has attracted several real-world companies, including car manufacturers and sports clothing makers, which created 3-D stores.
Second Life is a 3-D virtual world entirely created by its Residents. Since opening to the public in 2003, it has grown explosively and today is inhabited by millions of Residents from around the globe. From the moment you enter the World you’ll discover a vast digital continent, teeming with people, entertainment, experiences and opportunity. Once you’ve explored a bit, perhaps you’ll find a perfect parcel of land to build your house or business. You’ll also be surrounded by the Creations of your fellow Residents. Because Residents retain the rights to their digital creations, they can buy, sell and trade with other Residents. The Marketplace currently supports millions of US dollars in monthly transactions. This commerce is handled with the in-world unit-of-trade, the Linden dollar, which can be converted to US dollars at several thriving online Linden Dollar exchanges.
Other virtual worlds include:
Entropia Universe ( http://www.entropiauniverse.com/ ), the Swedish virtual world, which had a turnover of $365m last year.
Habbo ( http://www.habbo.com/), owned by a Finnish company, Sulake, boasts more than 80 million members today.
VOY Plaza Virtual ( http://www.voyplaza.com/vpv.html )
There.com ( http://There.com.com )
Club Penguin ( http://www.clubpenguin.com/) recently sold to Disney.
Active Worlds ( http://www.activeworlds.com/ )
Barbie Girls ( http://www.barbiegirls.com/ )
Cyworld ( http://us.cyworld.com/ )
Dubit ( http://www.dubitchat.com/ )
Faketown ( http://www.faketown.com/ )
BBC’s Adventure Rock ( http://bbc.co.uk/cbbc/adventurerock )
World of Warcraft ( http://worldofwarcraft.com )
Gaia ( http://www.gaiaonline.com/ ). The game has just got funded by Sony Pictures.
IMVU ( http://www.imvu.com/ )
Kaneva ( http://www.kaneva.com/ )
Millsberry ( http://millsberry.com/ )
Mokitown ( http://www.mobile-kids.net/ )
Neopets ( http://www.neopets.com/ )
Red Light Center (NSFW) ( http://redlightcenter.com/ )
Webkinz ( http://www.webkinz.com/ )
Zwinktopia by InterActiveCorp ( http://www.zwinktopia.com/ )
Openlife Grid ( http://www.openlifegrid.com/) Public Grid with Opensim Technology.
ViOS – ViOS 3D Internet Viewer ( http://en.wikipedia.org/wiki/ViOS )
Whyville ( http://www.whyville.net/top/index.html )
Citypixel ( http://www.citypixel.com/ )
Weblo ( http://www.weblo.com/ )
[ http://www.mercextra.com/blogs/takahashi/2007/11/30/exclusive-hackers-say-they-can-pick-pockets-of-characters-in-second-life-virtual-world /]
[ http://www.kb.cert.org/vuls/id/659761 ]
[ http://www.securityevaluators.com/sl/ ]
[ http://secondlife.com/whatis/ ]
[ http://www.thelocal.se/7347/20070518/ ]
[ http://www.guardian.co.uk/technology/2007/nov/17/internet.crime ]
[ http://metasecurity.net/2007/06/05/crime-rife-in-virtual-second-life/ ]
[ http://www.techcrunch.com/2007/08/05/virtual-world-hangouts-so-many-to-choose-from ]
[ http://en.wikipedia.org/wiki/Virtual_world ]
[ http://www.virtualworldsreview.com/ ]