A serious client-side vulnerability, affecting the accounts of Second life residents, has been discovered by the GNUCITIZEN Group. The malicious attack allows hackers to steal users' login credentials and hijack their profiles. With a simple one-line exploit code, ANY USER PASSWORD CAN BE COMPROMISED. Second Life residents should treat this vulnerability as HIGH RISK and suspend online activities until further notice.
The vulnerability was discovered within the Internet Explorer URL protocol handler. Specially crafted URLs can be used to launch the Second Life client and pass arbitrary command line options. One of the command line flags, described in the exploit, instructs the client to auto login. Another command line parameter instructs the client to connect and send the login details to arbitrary HTTP server over XML-RPC. Upon execution, the exploit will launch the client which will subsequently send the user credentials to a malicious server. This server will collect the data and reset the password to one known by the attacker, therefore, hijacking the victim's account.
1. Conduct Industrial Espionage - Many corporate initiatives in the real world debut in Second life. This practice allows companies to test various programs at a very early stage and before any real world expenditures are made. Hijacking SL identities gives attackers the opportunity to preview the competitor’s long-term market strategy before it is launched in the real world.
2. Cause Financial Damage - Credentials stolen by the attacker are bound to a bank account in Linden dollars. Stealing the financial assets could bring the virtual collapse of many small enterprises.
3. Implement Black PR - As with any society, Second Life has its very own opinion shapers and leaders. This online vulnerability allows attackers to hijack key profiles to influence public opinion. Conversely, attackers can put their rivals in many unpleasant situations by faking irrational decisions, initiating conflict situation, giving false and confusing information or simply blocking access to the system. Bottom line: the attacker will use this vulnerability to try to defame the target in front of its current and prospective stakeholders.
According to Petko D. Petkov, founder and leading contributor of GNUCITIZEN group: "Most attackers don’t event have to convert the hash back to a password string. Attackers can login with the hash itself by forging a request to one of the Second Life authentication servers. The unhashed password is only needed in situations where the attacker wants to explore other on-line service the victim is currently registered with."
GNUCITIZEN group is an Information Technology security think-tank. Some of their latest research projects include the latest 0day Apple QuickTime remote code execution vulnerability, in depth analysis of Web2.0 security issues and a database of the latest client-side cross-site scripting attack vectors. The GNUCITIZEN group members have participated in numerous tiger-team session for some of the biggest financial institutions in United Kingdom and abroad.