Owning Virtual Worlds For Fun and Profit

Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"

It's a content browser.

[Securityemo]

A program that interacts with a virtual world in this manner is no different from a browser or other client. And clients have historically been a huge source of attack vectors. Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.) The admins could easily pick up on this and trace the trail the simoleons/swords/whatever takes - but by then, they could already have been sold for real money to some poor guy who though he got a great deal. Especially in Second Life, where it seems like transactions like that can take place very rapidly.

Malicious file embedded inside a virtual world?

[clone53421]

SecondLife didn’t balk when they embedded a malformed QuickTime media file on their pink cube?

Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

Re:Malicious file embedded inside a virtual world?

[Jarik C-Bol]

its second life, do you really expect anything positive from it? its the mos eisley spaceport of gaming.

Can we shut up about SL please?

[Sycraft-fu]

Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

Goes double since it sounds like this problem is fairly unique to SL. If you start seeing this in WoW and Aeon and EVE and so on then that's a story. However this is just a case of a poor excuse for an MMO having poor security. This would be the same as posting "Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.014!" Nobody gives a shit, at least not enough people for it to be worth front page Slashdot. I understand if there's a security issue in a major OS, or an app that is widely used but in SL? Who cares? Not enough people to make it /. worthy I'd think.

Re:what about the IRS and profit? IP rights are on

[blair1q]

They don't care what you bought and sold, they want to know you did it and how much you made from it.

Then they want you to add that to your AGI and pay tax on it.

If you buy a virtual item for real money, then sell it for more real money, you are legally required to report the difference as income to the IRS.

Bartering virtual items (gold, swords, etc.) for each other is no different. You take the value you got for it, subtract the value you originally paid for it, and that's your income from the trade, which you have to report (in dollars, not quatloos) on a 1099-B for the year you made the trade. The tricky part is defining the value of something you've never seen traded for real items.