Security researchers have demonstrated a multimedia
security flaw in theSecond Life virtual reality site,
which allows attackers to steal money.
Charlie Miller, a security analyst at Independent Security
Evaluators, and security expert Dino Dai Zovi decided to
investigate the
security of online games.
This resulted in an exploit for Linden-owned Second Life, that
makes any player affected hand the attacker their Linden dollars
and yell "I got hacked!".
In other words, it is possible to exploit a player to steal
Linden dollars, and then cash them out for real US dollars.
All the victim has to do is have video enabled and enter a piece
of land owned by the attacker.
The actual vulnerability lies in the third party QuickTime
Player made by Apple. A vulnerability was announced last November
in the way QuickTime handles Real Time Streaming Protocol (RTSP)
media tunnelling responses.
Second Life allows players to embed media files in Second Life
objects, and uses QuickTime to handle all video rendering. It is
possible to have these media elements constantly playing.
If a Second Life avatar walks onto a piece of land that contains
an embedded malicious QuickTime file, they can be exploited.
Once the malicious file has been viewed by the victim, the
attacker has complete control over the victim's computer - and
Second Life avatar. At this point the exploit could make the avatar
do anything they like.
This particular exploit can freeze the avatar and makes them
send the attacker's avatar 12 Linden dollars and shout "I got
hacked".
The hack
demonstrated by the researchers sees victim Sussy McBride
wandering along and minding her own business, until she stumbles
upon a piece of land with a small purple box (the exploit). Very
shortly after, she freezes and sends attacker Pwned Naglo 12 Linden
dollars and yells that she was hacked.
The researchers say an exploit could be delivered in multiple
ways, by looking at a shirt that a character is wearing, for
instance, or by a character whispering something to another
character.
It is believed the latest updated version of QuickTime blocks
the security hole demonstrated by the researchers.