September 16, 2007 by Nobody Fugazi
Posted in
It really shouldn't be a big surprise. [w:Microsoft]'s [w:Internet Explorer|Internut Exploder] can be tricked into giving up your Second Life login - the details of which can be found in IE Pwns SecondLife.
The exploit can occur when an Internet Explorer (versions 6 and 7) user is directed to log into Second Life - something which is done with a SLUrl, though SLUrl itself does not apparently take advantage of the exploit.
The mechanics of it are rather simple - a naughty script (Common Gateway Interface; CGI) can cause someone to autologin, and the XML-RPC call contains a simple MD5 hash of the password. Oops. You don't even have to login - just start up the browser.
What's in your virtual wallet?
So... if you want to be safe with your virtual persona, be very careful which sites you login from... and if you want to be really safe, don't use Internet Explorer. Some people like Firefox, but I prefer the less hyped and more integrated browser, Seamonkey.
Or roll the dice. Asking Microsoft for your money back is less likely to have a result than asking Linden Lab to do something about exploiters of land.
- Nobody Fugazi's blog
- Add new comment
- 1024 reads
really safe?
hmmm... just thinking - wouldn't good advice to be to un-check the "Remember password" box on the SL client login screen? Kinda applies to all auto-login processes (software, websites, etc), and would have avoided this (and other) exploits.
Sure it would be.
Sure it would be. But this particular exploit works for other uses of a client as well.
This post
here indicates that the bug was also seen in Firefox/Mozilla core, but has been patched (upgrade your browsers, people...)