Comments on: IE pwns SecondLife

By: pdp

pdp — Tue, 07 Apr 2009 20:24:21 +0000

np! :)

By: bobalot

bobalot — Mon, 06 Apr 2009 16:30:35 +0000

o ok well thank you. Honestly wasnt expecting a response wince this eas made so long ago lol. Thanks a ton :D

By: pdp

pdp — Sun, 29 Mar 2009 15:15:24 +0000

it is not working because this is an old bug and you are probably using not vulnerable version of second life.

By: bobalot

bobalot — Sun, 29 Mar 2009 12:52:16 +0000

does this even work anymore? i tryied it and nothing appears in my error folder afterward.

By: Cose Lefevre

Cose Lefevre — Wed, 27 Aug 2008 16:55:36 +0000

Wooo I’m confused, how to build this myself to test it – I have uploaded index & login.php, that works, where do I go from here?!?

By: pdp

pdp — Wed, 27 Aug 2008 16:26:10 +0000

which version are you testing this on?

By: JEB

JEB — Wed, 27 Aug 2008 16:11:21 +0000

I cannot locate my php error file, or at least it doesn’t appear to contain any fresh information, after testing this!

By: Internet Explorer exploit can be used to hack Second Life accounts « Samurai Pickle

Mon, 25 Feb 2008 00:34:33 +0000

[...] but is important enough even for a "me too" post: There is an exploit reported by GNUCitizen that describes – in detail – how a properly formatted web page can be used to trick Internet [...]

By: MustLive

MustLive — Thu, 20 Sep 2007 16:16:04 +0000

pdp, nice one!

It’s nice URI exploitation, CSRF and Information leakage vulnerabilities joint into one attack.

Yes, IE help to pwns SecondLife ;-). And MS will not take any responsibility for their IE “URI feature” :-), so SL need to fix it in their software. Like all others vendors which products are vulnerable to URI exploitation holes.

Nathan and Rios work a lot in case of URI exploitation and command argument injection, and pdp make his contribution. It is new attack surface guys. So every user of SecondLife (and any other software with its own url-handlers) need to attend to security (especially if they use IE). Waiting for new URI-exploit holes.

By: Second Life 1.18.2.1 Tecnolives

Second Life 1.18.2.1 Tecnolives — Thu, 20 Sep 2007 15:32:41 +0000

[...] 1.18.2.1 se tiene corregidos, principalmente, algunos fallos en el sistema de voz, ademÃ¡s de una vulnerabilidad crÃtica reportada hace poco con respecto a las [...]

By: Secondlife Talk » SicherheitslÃ¼cke in Second-Life-Client

Secondlife Talk » SicherheitslÃ¼cke in Second-Life-Client — Wed, 19 Sep 2007 06:41:55 +0000

[...] die es ermÃ¶glicht, die Login-Daten eines Residents zu erspÃ¤hen. Dies wurde durch den Blogger Petko Petkov [...]

By: New risk in the save password feature exposed at My Second Life

New risk in the save password feature exposed at My Second Life — Tue, 18 Sep 2007 23:08:51 +0000

[...] your browser? I bet you did, probably we all did when following an SLURL, for example. Not this blogpost explains how a malicious website could use this feature to obtain the MD5 hash of your Second Life [...]

By: Jonash Vanalten

Jonash Vanalten — Tue, 18 Sep 2007 19:25:34 +0000

I’ve produced a binary patch for the current windows viewer which disables the -loginuri feature and so should prevent the exploit working.

I’ve attached this patch to the JIRA entry for this bug. If you don’t want to wait for the update from Linden, this should corect the issue:

http://jira.secondlife.com/browse/VWR-2508

By: Similes

Similes — Tue, 18 Sep 2007 17:12:07 +0000

Hi, I did some testing :
- On windows, I’ve retrieved the exact same credentials by accessing the page in both IE and FF, making both exploitable.
- On Mac OS however, the URL is taken as a map location, the hack doesn’t occur, it might if you change the URL syntax for the Mac client.

By: Aidan Thornton

Aidan Thornton — Tue, 18 Sep 2007 14:10:39 +0000

Oh, and normally the login information is sent over https – it’s just that the command-line option to select where to login accepts non-https URLs. (There are times when it’s useful to be able to login to somewhere else – for example, the OpenSim project.)

By: Aidan Thornton

Aidan Thornton — Tue, 18 Sep 2007 14:08:17 +0000

Actually, IIRC the hash of the password isn’t quite as good as the password itself. The hash is sufficient to log into the Second Life grid and steal the victim’s L$, but it isn’t sufficient to log in to secondlife.com. In particular, I think changing a user’s password or e-mail address can’t be done using just the hash.

Fortunately, there’s a workaround for this vulnerability – disable saved passwords and enter your password by hand each time you login. (Oh, and be wary of secondlife:// links.)

Also, in this case there’s a good reason for the URL handler – it’s used for linking from websites to locations inworld. Not essential, but definitely nice to have.

Tue, 18 Sep 2007 13:03:51 +0000

[...] Toujours selon GNUCITIZEN, il suffit aux utilisateurs de ne pas employer l’option de mÃ©morisation du mot de passe sur la page d’accueil de Second Life ou encore de ne pas utiliser Internet Explorer pour accÃ©der au net. L’utilisation d’un autre moteur de recherche, style Firefox, constituerait une autre protection contre ce piratage. Pour les fervents de technique, des informations dÃ©taillÃ©es peuvent Ãªtre obtenues sur le site de GNUCITIZEN. [...]

By: Internet Explorer facilita robo de identidad en SecondLife «

Internet Explorer facilita robo de identidad en SecondLife « — Tue, 18 Sep 2007 11:47:32 +0000

[...] info By Lestat Categories: ArticulosyVulnerabilidades GNU Citizen acaba de hacer pÃºblico un nuevo uso para el ya conocido â€œbug compartidoâ€, del que Microsoft se lava las manos y [...]

By: The Second Life Grid Grind » Blog Archive » The knock out blow? Hack allows user access to passwords.

Tue, 18 Sep 2007 10:41:20 +0000

[...] a thing about it. Now this current deal is a much bigger problem. A nice hacker type has published the how-to on sucking SecondLife passwords and user info right from the game. It requires a user to go to a webpage and have Internet Explorer [...]

By: Second Life News for September 18, 2007 « The Grid Live

Second Life News for September 18, 2007 « The Grid Live — Tue, 18 Sep 2007 06:03:27 +0000

[...] IE pwns SecondLife First of all, I must say that I am not a bug hunter. I am more on the side of tactical exploitation – you know figuring out your way through the system. I really hate using exploits and in fact, I find this approach very dull. There is no fun and value in it whatsoever. Anyway, the big news is that IE (Internet Explorer) pwns SecondLife. [...]

Comments on: IE pwns SecondLife

By: pdp

By: bobalot

By: pdp

By: bobalot

By: Cose Lefevre

By: pdp

By: JEB

By: Internet Explorer exploit can be used to hack Second Life accounts « Samurai Pickle

By: MustLive

By: Second Life 1.18.2.1 Tecnolives

By: Secondlife Talk » SicherheitslÃ¼cke in Second-Life-Client

By: New risk in the save password feature exposed at My Second Life

By: Jonash Vanalten

By: Similes

By: Aidan Thornton

By: Aidan Thornton

By: VulnÃ©rabilitÃ© de Second Life ? Attention Ã vos comptes ! « SecondLife Observer France- SLObserver.com

By: Internet Explorer facilita robo de identidad en SecondLife «

By: The Second Life Grid Grind » Blog Archive » The knock out blow? Hack allows user access to passwords.

By: Second Life News for September 18, 2007 « The Grid Live