Comments on: [RESOLVED] Second Life URL Handler Exploit

By: Nikki Claymore

Nikki Claymore — Wed, 19 Sep 2007 14:58:26 +0000

Re: Firefox vulnerability debate.

http://www.mozilla.org/security/announce/2007/mfsa2007-27.html

This issue can only occur for firefox users who don’t update and are running prior to Firefox 2.0.0.6 current version is Firefox 2.0.0.7.

By: Sofia Westwick

Sofia Westwick — Wed, 19 Sep 2007 12:37:08 +0000

Its not just about voice its abotu the interface. The voice one is very differnet then 1.18.0.6. and alot of us do not want to be stuck with the new interface.

So we will be happy with one same style as 1.18.0.6

By: Tammy Nowotny

Tammy Nowotny — Wed, 19 Sep 2007 12:16:16 +0000

About the voice viewer problem: you can simply Edit the Preferences and turn off Voice Chat. There is a checkbox on the Voice Chat tab. The new viewer still has a slightly different chat window, but at least you will now not have voice.

By: Unmitigated Gall

Unmitigated Gall — Wed, 19 Sep 2007 09:35:47 +0000

Strange that all calls using the “secondlife//” http reqest are now considered someone trying to exploit the vulnerability. I have used that call for years to link people into the game from email. All that has changed is you have become aware that someone is now using a hack to get user info. The only change you should make is removal of the “Remember Password” box. Issue solved, all platforms and viewers.

By: Unmitigated Gall

Unmitigated Gall — Wed, 19 Sep 2007 09:16:24 +0000

TAMARA,

MANY OF US DO WANT VOICE. VERY SIMPLE, YOU DONT WANT IT, DONT ACTIVATE IT? SO DAM SIMPLE.

By: Jabath Steuart

Jabath Steuart — Wed, 19 Sep 2007 08:56:04 +0000

I posted the link above so you could read the tips, if you want to use the password strength meter, please follow this advice:

“Please note that although we will not store the password you enter, it’s never a good idea to send your password to someone you don’t know. Instead, we recommend testing a password which is *similar* to one you might use.”

By: Jabath Steuart

Jabath Steuart — Wed, 19 Sep 2007 08:53:23 +0000

For those who don’t understand the jargon, here is the exploit:

You go to a web page in Internet Explorer with SL not running, the webpage has some nasty code in it that launches SL (through what they call a url handler) and tries to log in. BUT the code tells SL to log in to the nasty cracker’s server, not the LL server. If you have the “remember password” box checked on the SL login screen, your password is sent to the cracker’s server. Your login will then fail.

If SL IS running when you go to the bad web page, it will not try to log in, and it won’t send your password. The map might pop up though.

If you are using Firefox and not IE, the same thing happens, except firefox does the urlhandler thing properly, and SL wont send your password to the cracker.

Q: Who’s fault is this? LL and Microsoft
Q: What should I do about it?
A: Minimum: Uncheck the Remember Password box and wait for the update.
Reasonable: Set IE security settings to high and never use it again. Install Firefox or Opera browser and set it to be your default browser. Change your SL password (and all your other passwords) bi-monthly or better. Use a password of at least 8 characters using lowercase and uppercase letters, numbers and at least one symbol

http://www.securitystats.com/tools/password.php

By: Sofia Westwick

Sofia Westwick — Wed, 19 Sep 2007 07:51:05 +0000

Please do keep a viewer alive for us who can’t use Voice for hearing reasons or us who just don’t want to bother with it. I my self am using the 1.18.0.6 client. and I would like to keep using this style I prefer the 1.18.0.6 interface and none voice over the other viewers/client interfaces. I do not want to be forced to use the voice style update and interface

All of us who use the 1.18.0.6 style would be very greatful for a version like this when the the required upgrade is out.

By: void singer

void singer — Wed, 19 Sep 2007 07:09:52 +0000

::desperately misses the old ui for multiple reasons, new is too blocky, im now tied to new oversized communicate, loss of “alt shows…, etc::

for those that still want the old saved pw function, but not the vunerability try modifing a shortcut to seccondlife to the following:

“C:\Program Files\SecondLife\SecondLife.exe” -login first last password

change first last and password to your own info
this will connect you automatically to whatever your location is set to skipping the info page. IF YOU WANT THE INFO PAGE, DON’T THIS!

if you hate that it redetects your hardware EVERY time add -noprobe before -login (by itself this won’t cause you to skip the info page)

if you want to make it log into a specific location add -url secondlife://region/x/y/z to the end

replace region and xyz with the sim name and coordinates. you can use this w/o the others to set your login location and still keep the info page

example:

“C:\Program Files\SecondLife\SecondLife.exe” -noprobe -login your name password -url secondlife://ahern/128/128/0

IMPORTANT NOTE: anyone that click on the shorcut can see you password if you specify it, so you probably shouldn’t do this if you share your destop with another user. dunno what the equivalent for Mac users is, linux users can obviously figure out the difference

- Void

By: U M

U M — Wed, 19 Sep 2007 06:15:33 +0000

@ 89 everyone knew this woud happen. Many caleld for safe measures. But LL didnt pat any attention until someone causes this problem to be noticed. A little too late as always don`t you think.