Jump to content

Malicious Scripts at Stillman Bazaar

Guest

By Guest,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 4294 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Timothy McGregor

Timothy McGregor

Posted
Posted

Just a general heads-up to everyone who offers free items at Stillman.

As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed. Upon examination I noted that somebody had added some "vendor" scripts to the item. The scripts were added on September 1. They are no mod and I have no idea what they actually do, but they do request debit permissions when you rez the item, so they could be malicious and potentially drain the accounts of innocent freebie shoppers.

The scripts are present in numerous items at the bazaar that have been shared with the group. If you've got free items there, I strongly recommend that you go have a look at them. The name of the script is "Updater Vendor System". 

It is impossible for me to know what actually is in the script, or who is responsible for them being in the bazaar items, but it appears to have been done on 9/1/2012. I and a couple others have AR'd a couple of the items, but so far I've not seen any action. Meanwhile, people are coming to the bazaar and grabbing stuff, and there's a real potential for them to have Lindens stolen. 

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

Zaphod Kotobide wrote:

Just a general heads-up to everyone who offers free items at Stillman.

As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed.
Upon examination I noted that somebody had added some "vendor" scripts to the item. The scripts were added on September 1. They are no mod and I have no idea what they actually do, but they do request debit permissions when you rez the item, so they could be malicious and potentially drain the accounts of innocent freebie shoppers.

 

The scripts are present in numerous items at the bazaar that have been shared with the group. If you've got free items there, I strongly recommend that you go have a look at them. The name of the script is "Updater Vendor System". 

 

It is impossible for me to know what actually is in the script, or who is responsible for them being in the bazaar items, but it appears to have been done on 9/1/2012. I and a couple others have AR'd a couple of the items, but so far I've not seen any action. Meanwhile, people are coming to the bazaar and grabbing stuff, and there's a real potential for them to have Lindens stolen. 

My bolding above, "As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed."

I am confused here.  Was this an object you own?  No one can modify YOUR object unless you granted them edit rights.

And why did it take someone else to fix it?

WE do know about people rezzing phantom prims in front of vendors to trick people.  But you would not be the OWNER and the transaction would not show up in your transaction log unless you happened to purchase from it.

IF SOMEONE ACTUALLY ADDED A SCRIPT TO AN OBJECT THAT YOU OWNED, then you need to file a security JIRA detailing the incident.

Your post does read like you are talking about one of your own vendors.

 

 

Link to comment
Share on other sites
Jenni Darkwatch

Jenni Darkwatch

Posted
Posted

Perrie Juran wrote:

No one can modify YOUR object unless you granted them edit rights.

 

Apologies, but that's wrong. If "share with group" is checked, every group member can modify that object (if the object permissions allow modification). That's expected behavior.

A lot of people, including creators, don't realize that.

 

Link to comment
Share on other sites
Cerise Sorbet

Cerise Sorbet

Posted
Posted

All along, they have been specifically requesting that people enable "share with group" on donated items. LL's rationale is --

"When you set out your item please tick the box for 'share with group' this allows us to move it if need be without claiming ownership."

Naturally, many donors will have done it exactly how LL requested.

Link to comment
Share on other sites
Timothy McGregor

Timothy McGregor

Posted
Posted

And in practical terms, the bazaar being a collaborative effort, it's a necessary evil. Traditionally it has relied on the honesty of those in the group, and there have been very few problems arising out of it. In fact, this is the first issue I'm aware of, at least in the 4 years or so I've been sharing content there.

 

Cerise Sorbet wrote:

All along, they have been specifically requesting that people enable "share with group" on donated items. LL's rationale is --

"When you set out your item please tick the box for 'share with group' this allows us to move it if need be without claiming ownership."

Naturally, many donors will have done it exactly how LL requested.

 

Link to comment
Share on other sites
Timothy McGregor

Timothy McGregor

Posted
Posted

The objects at the bazaar are necessarily shared with the group, in order to facilitate management of the location. Why did it take someone else to fix it? Well, it really didn't. I could just as well have taken the initiative and removed the offending scripts from all of the items myself, but that would have been tantamount to cleaning up a crime scene before the cops got there to investigate. Lindens can see things that I can't, and in the end it wouldn't have been very helpful for me to have done so.

Perrie Juran wrote:

Zaphod Kotobide wrote:

Just a general heads-up to everyone who offers free items at Stillman.

As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed.
Upon examination I noted that somebody had added some "vendor" scripts to the item. The scripts were added on September 1. They are no mod and I have no idea what they actually do, but they do request debit permissions when you rez the item, so they could be malicious and potentially drain the accounts of innocent freebie shoppers.


The scripts are present in numerous items at the bazaar that have been shared with the group. If you've got free items there, I strongly recommend that you go have a look at them. The name of the script is "Updater Vendor System". 


It is impossible for me to know what actually is in the script, or who is responsible for them being in the bazaar items, but it appears to have been done on 9/1/2012. I and a couple others have AR'd a couple of the items, but so far I've not seen any action. Meanwhile, people are coming to the bazaar and grabbing stuff, and there's a real potential for them to have Lindens stolen. 

My bolding above, "
As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed.
"

I am confused here.  Was this an object you own?  No one can modify YOUR object unless you granted them edit rights.

And why did it take someone else to fix it?

WE do know about people rezzing phantom prims in front of vendors to trick people.  But you would not be the OWNER and the transaction would not show up in your transaction log unless you happened to purchase from it.

IF SOMEONE ACTUALLY ADDED A SCRIPT TO AN
OBJECT THAT YOU OWNED
, then you need to file a security JIRA detailing the incident.

Your post does read like you are talking about one of your own vendors.

 

 

 

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

Zaphod Kotobide wrote:

The objects at the bazaar are necessarily shared with the group, in order to facilitate management of the location. Why did it take someone else to fix it? Well, it really didn't. I could just as well have taken the initiative and removed the offending scripts from all of the items myself, but that would have been tantamount to cleaning up a crime scene before the cops got there to investigate. Lindens can see things that I can't, and in the end it wouldn't have been very helpful for me to have done so.
Perrie Juran wrote:

Zaphod Kotobide wrote:

Just a general heads-up to everyone who offers free items at Stillman.

As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed.
Upon examination I noted that somebody had added some "vendor" scripts to the item. The scripts were added on September 1. They are no mod and I have no idea what they actually do, but they do request debit permissions when you rez the item, so they could be malicious and potentially drain the accounts of innocent freebie shoppers.

 

The scripts are present in numerous items at the bazaar that have been shared with the group. If you've got free items there, I strongly recommend that you go have a look at them. The name of the script is "Updater Vendor System". 

 

It is impossible for me to know what actually is in the script, or who is responsible for them being in the bazaar items, but it appears to have been done on 9/1/2012. I and a couple others have AR'd a couple of the items, but so far I've not seen any action. Meanwhile, people are coming to the bazaar and grabbing stuff, and there's a real potential for them to have Lindens stolen. 

My bolding above, "
As I was checking my transaction logs I noted that one of the items I have at the bazaar had its name changed.
"

I am confused here.  Was this an object you own?  No one can modify YOUR object unless you granted them edit rights.

And why did it take someone else to fix it?

WE do know about people rezzing phantom prims in front of vendors to trick people.  But you would not be the OWNER and the transaction would not show up in your transaction log unless you happened to purchase from it.

IF SOMEONE ACTUALLY ADDED A SCRIPT TO AN
OBJECT THAT YOU OWNED
, then you need to file a security JIRA detailing the incident.

Your post does read like you are talking about one of your own vendors.

 

 

 

My apologies.....I did not realize that 'share with group' allowed the edit permissions.

Learn something new every day.

I hope the person who did this was removed from the group.

 

Link to comment
Share on other sites
Timothy McGregor

Timothy McGregor

Posted
Posted

It's certainly a good case for having another look at group permissions, and perhaps adding a bit more granularity to them.

Perrie Juran wrote:

My apologies.....I did not realize that 'share with group' allowed the edit permissions.

Learn something new every day.

I hope the person who did this was removed from the group.

 

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 4294 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...