Reply to comment

It really shouldn't be a big surprise. [w:Microsoft]'s [w:Internet Explorer|Internut Exploder] can be tricked into giving up your Second Life login - the details of which can be found in IE Pwns SecondLife.

The exploit can occur when an Internet Explorer (versions 6 and 7) user is directed to log into Second Life - something which is done with a SLUrl, though SLUrl itself does not apparently take advantage of the exploit.

The mechanics of it are rather simple - a naughty script (Common Gateway Interface; CGI) can cause someone to autologin, and the XML-RPC call contains a simple MD5 hash of the password. Oops. You don't even have to login - just start up the browser.

What's in your virtual wallet?

So... if you want to be safe with your virtual persona, be very careful which sites you login from... and if you want to be really safe, don't use Internet Explorer. Some people like Firefox, but I prefer the less hyped and more integrated browser, Seamonkey.

Or roll the dice. Asking Microsoft for your money back is less likely to have a result than asking Linden Lab to do something about exploiters of land.