Second Life Exploit Allows Hackers Steal Linden Currency from Avatars
Two security researchers have found a security hole in the online virtual world, Second Life, developed by Linden Lab, where cyber-terrorists can purloin Linden dollars from a target's avatar, and also hack his/her PC.
Evidently, that would be very troublesome, since the currency, called Linden dollars, can be directly converted to the US dollars.
Second Life is an Internet-based virtual community where consumers can produce avatars and buy virtual property like estate, accommodation, furniture and apparel.
As per Takahashi, cyber-terrorists Charles Miller and Dino Dai Zovi informed him that they had exposed a security hole that could permit somebody to con Second Life inhabitants of their Linden currency.
The exploit code is connected to Apple's QuickTime program, which is utilized for video display in Second Life.
The exploit succeeds as Second Life permits customers to insert videos or photos on their avatar's or their virtual property. Whenever somebody is in the vicinity or is within the range of the person, the Second Life program starts QuickTime in order to handle the video or images. This way, QuickTime leads the Second Life program to another site, reported Mercextra, according to news by TECH.BLORGE.
By attacking the QuickTime glitch, cyber-terrorists can guide the Second Life program to malevolent sites to run Trojan files that might permit them to hijack the target's PC and its Second Life character.
As per the United States Computer Emergency Readiness Team (US-Cert), the vulnerability was detected within the Real Time Streaming Protocol (RTSP) on which Quicktime's hosts and clients are based. Unsuspecting end users who install the malicious RTSP software through a webpage, or via a file, can allow hackers to attack their PCs unnoticed, cautioned the agency. In this situation, cyber-terrorists can easily steal the money of online community user.
Linden Labs has recommended its customers to stop the streaming video playback choice in the Second Life Viewer (downloadable program), except while playing in a secure site. Second Life users should comply with this rule till Apple issues a patch.
The officials at Linden asserted that they are well equipped to hunt down strikes, and upon detecting a malevolent stream, they are confident of tracking the hacker, informed iTWire on December 3, 2007.
Related article: Second Zero-Day Vulnerability Hit Windows
» SPAMfighter News - 14-12-2007