Your Linden dollars might not be safe anymore

The Mercury News report that security researchers have found a flaw in Second Life that allows pickpockets to strip avatars of all of their virtual money.

Hackers Charles Miller and Dino Dai Zovi claim they have found a vulnerability in the way SL protects its users’ virtual cash, which can be converted into real world currency (about 250 Linden dollars equals one U.S. dollar), from being stolen. Researchers, however, say the flaw can be quickly patched.

Miller and Dai Zovi found the flaw by exploiting a known problem with Apple’s QuickTime movie playback software, which is used to play movies inside the virtual world. When an avatar comes nearby and is within view of the object, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the SL software to a web site. By exploiting the flaw in QuickTime, the hackers can direct this software to a malicious web site that then allows them to take over the avatar and force it to hand over its Linden dollars. The range of the hack is approximately 100 virtual feet. This security breach poses a serious threat to those of the 10.5 million registered Second Lifers who are trying to make a living in the virtual world by selling goods and services.

Second Life does not have bank-like security. The best way to keep your virtual money safe from potential pickpockets would, for now, be doing regular Linden dollars/US dollars exchanges so as not to keep too many Lindens in your SL account. Players can also turn off the "play streaming video when available" feature in the edit preferences menu of the Second Life software. Luckily for them (and their money), Apple is moving to fix the QuickTime flaw.

No comments: