Comments on: IE pwns SecondLife

By: Cose Lefevre

Cose Lefevre — Wed, 27 Aug 2008 16:55:36 +0000

Wooo I’m confused, how to build this myself to test it - I have uploaded index & login.php, that works, where do I go from here?!?

By: pdp

pdp — Wed, 27 Aug 2008 16:26:10 +0000

which version are you testing this on?

By: JEB

JEB — Wed, 27 Aug 2008 16:11:21 +0000

I cannot locate my php error file, or at least it doesn’t appear to contain any fresh information, after testing this!

By: Internet Explorer exploit can be used to hack Second Life accounts « Samurai Pickle

Mon, 25 Feb 2008 00:34:33 +0000

[...] but is important enough even for a "me too" post: There is an exploit reported by GNUCitizen that describes - in detail - how a properly formatted web page can be used to trick Internet [...]

By: MustLive

MustLive — Thu, 20 Sep 2007 16:16:04 +0000

pdp, nice one!

It’s nice URI exploitation, CSRF and Information leakage vulnerabilities joint into one attack.

Yes, IE help to pwns SecondLife ;-). And MS will not take any responsibility for their IE “URI feature” :-), so SL need to fix it in their software. Like all others vendors which products are vulnerable to URI exploitation holes.

Nathan and Rios work a lot in case of URI exploitation and command argument injection, and pdp make his contribution. It is new attack surface guys. So every user of SecondLife (and any other software with its own url-handlers) need to attend to security (especially if they use IE). Waiting for new URI-exploit holes.

By: Second Life 1.18.2.1 Tecnolives

Second Life 1.18.2.1 Tecnolives — Thu, 20 Sep 2007 15:32:41 +0000

[...] 1.18.2.1 se tiene corregidos, principalmente, algunos fallos en el sistema de voz, ademÃ¡s de una vulnerabilidad crÃtica reportada hace poco con respecto a las [...]

By: Secondlife Talk » SicherheitslÃ¼cke in Second-Life-Client

Secondlife Talk » SicherheitslÃ¼cke in Second-Life-Client — Wed, 19 Sep 2007 06:41:55 +0000

[...] die es ermÃ¶glicht, die Login-Daten eines Residents zu erspÃ¤hen. Dies wurde durch den Blogger Petko Petkov [...]

By: New risk in the save password feature exposed at My Second Life

New risk in the save password feature exposed at My Second Life — Tue, 18 Sep 2007 23:08:51 +0000

[...] your browser? I bet you did, probably we all did when following an SLURL, for example. Not this blogpost explains how a malicious website could use this feature to obtain the MD5 hash of your Second Life [...]

By: Jonash Vanalten

Jonash Vanalten — Tue, 18 Sep 2007 19:25:34 +0000

I’ve produced a binary patch for the current windows viewer which disables the -loginuri feature and so should prevent the exploit working.

I’ve attached this patch to the JIRA entry for this bug. If you don’t want to wait for the update from Linden, this should corect the issue:

http://jira.secondlife.com/browse/VWR-2508

By: Similes

Similes — Tue, 18 Sep 2007 17:12:07 +0000

Hi, I did some testing :
- On windows, I’ve retrieved the exact same credentials by accessing the page in both IE and FF, making both exploitable.
- On Mac OS however, the URL is taken as a map location, the hack doesn’t occur, it might if you change the URL syntax for the Mac client.

By: Aidan Thornton

Aidan Thornton — Tue, 18 Sep 2007 14:10:39 +0000

Oh, and normally the login information is sent over https - it’s just that the command-line option to select where to login accepts non-https URLs. (There are times when it’s useful to be able to login to somewhere else - for example, the OpenSim project.)

By: Aidan Thornton

Aidan Thornton — Tue, 18 Sep 2007 14:08:17 +0000

Actually, IIRC the hash of the password isn’t quite as good as the password itself. The hash is sufficient to log into the Second Life grid and steal the victim’s L$, but it isn’t sufficient to log in to secondlife.com. In particular, I think changing a user’s password or e-mail address can’t be done using just the hash.

Fortunately, there’s a workaround for this vulnerability - disable saved passwords and enter your password by hand each time you login. (Oh, and be wary of secondlife:// links.)

Also, in this case there’s a good reason for the URL handler - it’s used for linking from websites to locations inworld. Not essential, but definitely nice to have.

By: VulnÃ©rabilitÃ© de Second Life ? Attention Ã vos comptes ! « SecondLife Observer France- SLObserver.com

Tue, 18 Sep 2007 13:03:51 +0000

[...] Toujours selon GNUCITIZEN, il suffit aux utilisateurs de ne pas employer l’option de mÃ©morisation du mot de passe sur la page d’accueil de Second Life ou encore de ne pas utiliser Internet Explorer pour accÃ©der au net. L’utilisation d’un autre moteur de recherche, style Firefox, constituerait une autre protection contre ce piratage. Pour les fervents de technique, des informations dÃ©taillÃ©es peuvent Ãªtre obtenues sur le site de GNUCITIZEN. [...]

By: Internet Explorer facilita robo de identidad en SecondLife «

Internet Explorer facilita robo de identidad en SecondLife « — Tue, 18 Sep 2007 11:47:32 +0000

[...] info By Lestat Categories: ArticulosyVulnerabilidades GNU Citizen acaba de hacer pÃºblico un nuevo uso para el ya conocido â€œbug compartidoâ€, del que Microsoft se lava las manos y [...]

By: The Second Life Grid Grind » Blog Archive » The knock out blow? Hack allows user access to passwords.

Tue, 18 Sep 2007 10:41:20 +0000

[...] a thing about it. Now this current deal is a much bigger problem. A nice hacker type has published the how-to on sucking SecondLife passwords and user info right from the game. It requires a user to go to a webpage and have Internet Explorer [...]

By: Second Life News for September 18, 2007 « The Grid Live

Second Life News for September 18, 2007 « The Grid Live — Tue, 18 Sep 2007 06:03:27 +0000

[...] IE pwns SecondLife First of all, I must say that I am not a bug hunter. I am more on the side of tactical exploitation - you know figuring out your way through the system. I really hate using exploits and in fact, I find this approach very dull. There is no fun and value in it whatsoever. Anyway, the big news is that IE (Internet Explorer) pwns SecondLife. [...]

By: Second Life web resources for September 15th 2007 through September 17th 2007 | VintFalken.com

Tue, 18 Sep 2007 00:31:14 +0000

[...] IE pwns SecondLife - GNUCITIZEN - ‘Attackers can steal the victim’s login credentials, therefore hijacking their virtual persona, by simply tricking them into visiting a malicious Web page. Here is an example…’ FF was vulnerable too, but they patched it already? (via Nobody Fugazi) [...]

By: King’s Corner » Blog Archive » Another reason not to save your password

Mon, 17 Sep 2007 22:52:39 +0000

[...] even on your own computer: GNUCitizen points out a very easy way that a knowledgeable person could get your Second Life credentials. I’m handy with computers, but not a true geek. I will admit that I don’t understand [...]

By: Internet Explorer facilita robo de identidad en SecondLife

Internet Explorer facilita robo de identidad en SecondLife — Mon, 17 Sep 2007 21:03:55 +0000

[...] Citizen acaba de hacer pÃºblico un nuevo uso para el ya conocido “bug compartido”, del que Microsoft se lava las manos [...]

By: Salusa

Salusa — Mon, 17 Sep 2007 20:52:45 +0000

It would seem to me that the blame for this lands solidly on SecondLife. Let’s count the problems:
1) Not sanity checking the results of URL handlers. (Note that MS does explain that it passes the string on to you unmodified, thus they can hardly blame IE for behaving as documented. http://msdn2.microsoft.com/en-.....67914.aspx)
2) Allowing the login information to be sent in the clear. (I notice that HTTP not HTTPS is used here.)
3) Not protecting the credentials. Since, as you note, the hash of the password is as good as the password itself, they gain no (real) benefit by passing it as opposed to raw password.

Clearly, they need to re-work their authentication frame-work.