Two diligent security researchers have this week stepped forward to warn users of online virtual world Second Life that their avatar creations could be open to monetary theft at the hands of nefarious online hackers looking to rob them of the mighty Linden Dollar.
Security researchers warn against possible wave of virtual currency theft in Second Life. Credit: Second Life/Linden Lab
The San Jose Mercury News reports that experienced hacker community members Charles Miller and Dino Zovi have discovered a potential exploit in Second Life that allows hackers to sidestep security aspects placed to prevent users from being separated from their redeemable in-world funds.
The vulnerability has since been confirmed by San Francisco-based Linden Lab and, while the exploit could see users losing their Linden and U.S. dollars if left unchecked, it is believed that Second Life’s creators will be able to quickly address the flaw by issuing a patch fix.
According to Miller and Zovi, the problem was uncovered by using a recently revealed flaw connected directly to Apple’s QuickTime media player, which is used inside the virtual confines of Second Life. The QuickTime flaw in question was put under the spotlight by Miller and Zovi early last week, which subsequently led to the pair engineering a workable hack only a few days later.
"While we have no evidence that this vulnerability has been used to date within Second Life, we of course want to make sure our residents are aware of the facts, and give them guidance on how they can protect themselves," offered Linden Lab in an official statement posted on Friday through its Second Life blog site.
The hack appears to work much like a virtual mugging, directing in-world QuickTime users to a malicious Web site via infected items placed by hackers, which then proceed to take control of the victim’s avatar and force them to hand over their Second Life funds.
A video demonstration presented by Miller shows an unwitting in-world avatar passing near a hacker’s avatar, at which point an on-screen message states that 12 Linden Dollars have passed into the possession of the hacker’s avatar creation. The hack is thought to be effective up to a range of 100 virtual metres.
"We take security very seriously," outlined Apple spokeswoman Lynn Fox in reaction to the QuickTime exploit. "We have a great track record of addressing vulnerabilities before they can affect users and we are looking into this."
Second Life has said that it may offer reimbursements to any in-world members who have fallen foul of this latest theft-based hack attack.
USA
Your Talkback on this Story