Voice vulnerability allows people to get real world info?

[Teller96]

I was talking to a nice guy in Second Life and he was entertaining us with his abilities, saying he could get our real life names through a vulnerability in Second Life's voice feature. Sure enough, he delivered. He said that any time someone uses the feature he gets what he needs to get our real name. This is seriously concerning considering the only place my real name is entered is alongside my payment information. Does LL know about this vulnerability? Shouldn't everyone on Second Life know?

[Klytyna]

This sounds somewhat like BS to me, to be frank..., the voice spam system is 3rd party, it's not made by LL, and I seriously doubt there's a connection to LL's record of your account details.

If this guy really is pulling peoples 'real names' out of thin air, that would suggest he was an employee of a large ISP company, and somehow used some backtrace on your voice spam to find your IP address, looked it up, found you used the ISP he works for and pulled your name from the ISP's customer database, so it only works if you surf using that particular ISP.

I can tell you for a fact that such a plan won't get everyones details, or even most peoples, and there's other ways for an ISP worker to trace IP adresses than voice spam.

If you are that worried about it though, simply do what smart people do, and disable voice spam.
 

[Teller96]

This ISP's service isn't registered under my name, my ISP is small and more local to the region. He wouldn't fill us on the details of how he was doing it unfortunately, so all I can do is guess. 

Edited April 8, 2017 by Teller96

[Whirly Fizzle]

@Teller96
You do have a RL selfie on your profile.
Do you use that same image on any other social network or forum under your real name? It's possible they found you doing a reverse image search.

I've never heard of it being possible to get your RL name from your account info through a voice exploit, though when it comes to voice exploits, I wouldn't be that shocked if it was real.

Did this "nice guy in Second Life" get you to click a web link at all?

[Teller96]

I've reverse searched my images before, nothing comes up. But even then I don't have my real name spelled properly anywhere on the internet except for alongside payment information, as far as I'm aware. Some of the other people he demonstrated on didn't have images. I didn't click any links. He was able to provide the proper spelling for it, which really caught me off guard. I said nice guy to clarify that it wasn't being done with malicious intent, and I don't want him being banned over it.

Edited April 8, 2017 by Teller96

[Theresa Tennyson]

1 hour ago, Teller96 said:

I've reverse searched my images before, nothing comes up. But even then I don't have my real name spelled properly anywhere on the internet except for alongside payment information, as far as I'm aware. Some of the other people he demonstrated on didn't have images. I didn't click any links. He was able to provide the proper spelling for it, which really caught me off guard. I said nice guy to clarify that it wasn't being done with malicious intent, and I don't want him being banned over it.

I was able to find out what phone you use and what network you're on from your selfie using information from public search engines. There are plenty of ways to get someone's IP address while in Second Life as well.

Where were you at for this "demonstration", and did you know the others he was "demonstrating" on? It may have been a case that he was able to get your name and was indulging in what magicians refer to as "pseudo-psychometry" and the others may have been flunkies. "Oh wow, he told me my NAME! AhhhhhMAYzing!" By definition, someone who has the ability to find a real exploit and uses it as a party trick instead of notifying the authorities is not a nice guy.

[Teller96]

I used four different search engines and this picture didn't turn up any results, so I'm having a hard time believing that, aside from common sense. My IP address doesn't connect to my name so that's off the list. All people there were regulars to the area, some were friends. I'd never seen the person there before.

 

And that's by opinion, not by definition. But that's irrelevant anyways.

Edited April 8, 2017 by Teller96

[Madelaine McMasters]

Years ago, I watched a presentation given by someone at a Black Hat or similar conference. During the demo, he had his girlfriend e-mail him from some random location in the city. Within moments of receiving the e-mail, he was able to locate her. He did it by obtaining the IP address of network she was on from the e-mail header. He then passed that IP address to a website that maintained a database of war-driven Wi-Fi networks. It's not only your ISP that knows exactly where IP addresses reside. At that time, I repeated the steps of his demonstration and sure enough, I found Google Maps looking at the end of my driveway. I've since replaced and relocated my wi-fi router to the basement, about a foot below ground on the wall closest to the road. Now I can't connect to my wi-fi network from my front yard, much less the street hundreds of feet away.

If you have a Wi-Fi network that's reachable from the street in front of your house, that's a potential vector.

[Teller96]

I get it, everyone thinks I'm an idiot and/or a liar. Progress cannot be made here. Case closed. Run along now. 

 

@Madelaine McMasters Sure that would be a great way to get my info, if my brother and two others weren't also living here. He'd just be picking a name and hoping to get lucky. 

Edited April 8, 2017 by Teller96

[Theresa Tennyson]

17 minutes ago, Teller96 said:

I used four different search engines and this picture didn't turn up any results, so I'm having a hard time believing that, aside from common sense. My IP address doesn't connect to my name so that's off the list. All people there were regulars to the area, some were friends. I'd never seen the person there before.

 

And that's by opinion, not by definition. But that's irrelevant anyways.

You took that picture with a Samsung Galaxy S5 issued by Verizon. I know that because I looked at the image of the back of the phone in the picture.

[Teller96]

I thought you were talking about my phone number. Knowing my model of phone and cellular network isn't going to get anyone anywhere.... really? I have to go to sleep. Case closed. See ya. 

[Madelaine McMasters]

4 minutes ago, Teller96 said:

I get it, everyone thinks I'm an idiot and/or a liar. Progress cannot be made here. Case closed. Run along now. 

 

@Madelaine McMasters Sure that would be a great way to get my info, if my brother and two others weren't also living here. He'd just be picking a name and hoping to get lucky. 

Well, I certainly don't think you're an idiot or a liar, and don't see evidence anyone else did. We're all offering theories to explain what you experienced. Regardless of the method used to obtain someone's name, the moment a demonstrator is correct, which might be 1% of the time, the 1% will be convinced the method is 100% effective. This is called survivorship bias. Whether this is or isn't the case we can't say. But, your response to our theories does sway me.

[Alwin Alcott]

4 hours ago, Teller96 said:

I was talking to a nice guy in Second Life and he was entertaining us with his abilities, saying he could get our real life names through a vulnerability in Second Life's voice feature.

another theory ... if you ever told somebody more details in sl... you met his alt and he feeded your mind with this

[Innula Zenovka]

@Teller96  Rather than invite speculation here, I think you might be better advised to open a SEC jira describing the exploit (including where and when it took place, and who were the parties involved) so LL's specialists can investigate the matter.

I suspect that, however the stunt was executed, it probably involved taking whatever data is available from the Vivox connection, and then putting it together with other, external, data to find out more about you.    That seems more likely that somehow working back from the Vivox connection to your LL account details, but that's just my non-expert opinion.   LL are better placed to investigate than is anyone else, and have considerable expertise in such matters. 

[Perrie Juran]

If you are talking about Spatial Chat the guy would have to be hacked into Vivox's servers, something which while it might be possible I'd consider unlikely.

"Your ability to hear others in spatial voice chat is tied your avatar or camera position by your preferences settings, and by enforced in code that does not exist in the open source viewer."  LINK

However, if you are talking about a Private Call:

"Private calls between two Residents are not encrypted. However, the call does not pass through any Linden Lab or Vivox servers; they are conducted on a peer-to-peer basis between the two computers involved. "Peer-to-peer" means that when you initiate a private voice call, your computer connects directly to the other computer for the purposes of voice communication."  LINK

So there is potentially a greater risk with a private call. But that is the nature of all Voice services such as Skype, etc.

On the other hand I have both seen and heard (text and voice) people reveal enough information that I could have figured out their RL identity.

And while I don't mean this as a criticism, why if you don't want anyone to know your identity do you have your RL picture in your profile?

 

[Perrie Juran]

6 minutes ago, Innula Zenovka said:

@Teller96  Rather than invite speculation here, I think you might be better advised to open a SEC jira describing the exploit (including where and when it took place, and who were the parties involved) so LL's specialists can investigate the matter.

I suspect that, however the stunt was executed, it probably involved taking whatever data is available from the Vivox connection, and then putting it together with other, external, data to find out more about you.    That seems more likely that somehow working back from the Vivox connection to your LL account details, but that's just my non-expert opinion.   LL are better placed to investigate than is anyone else, and have considerable expertise in such matters. 

"Spatial voice chat, meaning public voice chat with people who are near you inworld, is processed and mixed on servers maintained by Vivox"  LINK

I'd be really surprised if the voice participant's IP addresses were being passed on by the Vivox servers that you are connecting to.

[Innula Zenovka]

@Perrie Juran  I agree, but there have been security issues with Vivox in the past (two of the Emerald devs, as I recall, got up some mischief with Vivox back then) so who knows?   LL have the resources and expertise to investigate this.  I certainly don't.

[Marianne McCann]

It's frustrating that a person comes here to report this then, after folks good naturedly try to tease out the root causes of the exploit, said person gets offended that people tried to help. It's not about people thinking you are either an idiot nor a liar, it's about trying to figure out what happened, based on the knowledge of all the users here. People are *trying to help* by shedding light on the potential causes of this as best as they can. Isn't that what you wanted?

At any rate, I *would* suggest to the original poster (as @Innula Zenovka suggested): please consider opening an SEC JIRA on this. You can do so my logging into jira.secondlife.com and creating a new issue. Select "2. Second Life Security Exploits - SEC" from the first drop down, and fill in the rest of the information as clearly and concisely as you can. 

Like you, @Teller96, we want to see whatever loophole this person is using closed if possible. 

Edited April 8, 2017 by Marianne McCann

[Qie Niangao]

Just in passing, the voice thing could be a red herring and instead some other, unspecified vulnerability might be to blame. We only have his word that he's using voice to perform the trick, right? Unless he explains how he's doing it, his claim doesn't seem all that credible.

As others have said, SL voice is always a suspect, but that could also make it a good target of misdirection.

Edited April 8, 2017 by Qie Niangao

[Teller96]

The thing is, I'm paranoid on the web, I don't give out any of my real or identifying info to any website or friend period unless legally bound to. Because you never know when things might go south.. If anything, I assumed that he would come up with the distorted spelling of my real name. I've been thinking on it and I just don't see where the connection to that info could have been in anything that I've done on Second Life other than my private payment/account info. I've been keeping my online interactions sterile for years now. My IP address might give away my address for someone experienced I guess, but there's 4 people living here and luck wouldn't cut it. And since my name doesn't connect to any of my online photos or things, it would be impossible to confirm any of those people as me. Not to mention that I never even noticed him pause or take his time throughout any of this that would suggest he did all of this for every single person. I mean to bring it up with LL support when I get the chance, just thought I'd share here til then. 

[Madelaine McMasters]

11 minutes ago, Qie Niangao said:

Just in passing, the voice thing could be a red herring and instead some other, unspecified vulnerability might be to blame. We only have his word that he's using voice to perform the trick, right? Unless he explains how he's doing it, his claim doesn't seem all that credible.

As others have said, SL voice is always a suspect, but that could also make it a good target of misdirection.

We'll probably never know the whole story. Some people live pretty "leaky" lives on the Internet, perhaps under the false assumption that it's difficult to put two and two together. I was truly impressed by that Black Hat demonstration and it didn't take me long to use the tools revealed in it to discover a lot more about my own Wi-Fi network than I thought possible. I was in several databases (I think SkyHook was one of them), both by IP and router MAC address. I was immediately able to obtain a new IP address by swapping the two routers in my network. The MAC address of my second router was not in the databases I'd seen and I told SkyHook that my old IP and Mac address were in the Marshall Islands. (Making that true for a week is on my bucket list).

As we continually create accounts for the new services we desire, and those service's customer databases get hacked, there are more and more puzzle pieces available to figure us out. And there are plenty of people who like putting those puzzle pieces together as much as Mom and her friends like collaborating on 2000 piece pictures of Mad Ludwig's Castle.

[Whirly Fizzle]

@Teller96

If the "nice guy in Second Life" is willing to discuss his abilities further, ask him how he did it.
You could also change your RL name on your billing info to a different name temporarily & see if he can pick up that name change. 

[Teller96]

I was actually thinking about legally getting my first name changed anyways to bury 21 years of my addresses and family members and legal records etc. being stored in public databases. Hate those people search sites... drives me crazy that I'm listed there. Anyways I doubt he'll discuss it, as I asked before, either to keep other people from doing it or to keep it from getting patched because of snitches like me. That is, assuming there's not some other simple way he's doing it that makes sense. 

Edited April 8, 2017 by Teller96

[Whirly Fizzle]

If he was so worried about the exploit getting patched, I doubt he'd be demonstrating it to random people on SL to be a show off.

Out of interest, did you have music &/or media enabled when he did his thing?

[Teller96]

Both were disabled, final answer lol. And that makes sense. Don't think someone would hack into SL for the sole purpose of showing off, but you never know how bored someone can get. Only other thing I see he could have used within reason is IP, and even then I figure it would be a pain in the ass to link that IP directly to me and not anyone else using it. BTW, he didn't get every name right apparently. But he always seemed very confident that he did despite their saying he didn't. Not sure if the people were just trying to conceal their info or if he actually messed up. 

And I didn't mean to go off, I'm just used to sharing my experiences and everyone deciding that it's a made up story because it's an uncommon or unlikely scenario. 

Edited April 8, 2017 by Teller96