Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security IT Games

Owning Virtual Worlds For Fun and Profit 82

Posted by samzenpus from the cash-for-gold dept.
Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"
This discussion has been archived. No new comments can be posted.

Owning Virtual Worlds For Fun and Profit More

Owning Virtual Worlds For Fun and Profit

Comments Filter:

  • So... (Score:3, Informative)

    by Jorl17 ( 1716772 ) on Wednesday August 18, 2010 @07:31PM (#33295468)
    So...we were just told that with every new application comes a new series of security flaws?

    That's what keeps the industry running!

  • Re:Hello 911!!!!! (Score:3, Informative)

    by shadowfaxcrx ( 1736978 ) on Wednesday August 18, 2010 @07:49PM (#33295606)

    funny, but unlike a normal MMO, Second Life's virtual money is purchased with real money by design. And there have already been property-rights lawsuits over virtual land and items within second life.

  • Because that's not how it works. (Score:5, Informative)

    by sstamps ( 39313 ) on Wednesday August 18, 2010 @08:25PM (#33295916) Homepage

    It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.

    I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:

    1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
    2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.

  • Today's internal Linden Lab discussion... (Score:5, Informative)

    by Anonymous Coward on Wednesday August 18, 2010 @09:21PM (#33296264)

    Here's what happened in one of Linden Lab's internal IRC channel today...

    [16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit [slashdot.org]
    [16:45] [Linden002] fascinating.
    [17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
    [17:12] [Linden003] there is no mention of that in the article either.
    [17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

Slashdot Top Deals

The moon is made of green cheese. -- John Heywood

Close