Jump to content

WTBG? - this is real right?

Eloise Baily

By Eloise Baily,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 4538 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Eloise Baily

Eloise Baily

Posted
  • Author
Posted

I wish that were true Sy.

I haven't been near the JIRA since RZ which was when, March?

I find this a little odd.

I'm nearly 3 years old and savvy to a point. I'm not clueless on these things and this has never happened before. Is someone playing?

 ETA: It's not the notification Sy. It's the disclosure if an avatar by a Linden. I stated that in my op.

 

Link to comment
Share on other sites
Eloise Baily

Eloise Baily

Posted
  • Author
Posted

BTW, clicking on the link now does not get what I got in my notification. What I got was this (Dunno how to link):


https://jira.secondlife.com/browse/VWR-21305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]


Alexa Linden updated VWR-21305:

-------------------------------


Environment: .

Assignee: ProductTeam Linden

Labels: forProductReview vi-backlog (was: vi-backlog)


> Potential Privacy Exploit - It is heuristically possible to use MoaP to link a client IP address to an avatar

> -------------------------------------------------------------------------------------------------------------

>

> Key: VWR-21305

> URL: https://jira.secondlife.com/browse/VWR-21305

> Project: 1. Second Life Viewer - VWR

> Issue Type: Bug

> Environment: .

> Reporter: Joe Linden

> Assignee: ProductTeam Linden

> Priority: Minor

> Labels: forProductReview, vi-backlog

> Attachments: IP-Proof-of-PrivacyBreach.png

>

>

> This is a temporary report on a major privacy breach risk with the new viewer. Upon request, the resident reporting this issue has offered to demonstrate the exploit documented below in safe place, with a personal guarantee that the obtained data (such as IP addresses) would, by definition, only be used for the risk test and would be scrambled and/or deleted immediately afterward.

> Risk Definition:

> This exploit relates to the rendering of HTML/Flash on prims (i.e. MoaP) and represents a major privacy breach risk which can also compromise security of an individual.

> Test Configuration:

> The test described below is done with a limited setup, but is fully functional, automatic and already operational.

> * webserver with a database

> * a small amount of server side scripts to register and process data

> * standard viewer 2.0

> * 1 prim with media texture pointing to an (empty) web page on a fraudulent server and one simple script with standard LSL

> * invisible placement of the prim (small size, hidden inside other prims or the land)

> Testing:

> * presence of avatars with the v2.0 viewer in the neighbourhood of the prim. Avatars must have media enabled (automatically or manually).

> Testing results:

> It is heuristically possible to link a client IP address to an avatar. Depending on the number of present avatars, the time they enter and they leave, it is possible to obtain ONE HUNDERD PERCENT accuracy.

> I have attached a very simple example of obtained data, not heuristically processed. 

> Though it's already clear without scripts: Gentle Heron is the owner of one of the (scrambled) IP addresses. 

> The other IP address reveals the existence of 2 users or a user and his/her ALT on the same network.

> Using the above configuration, it is possible to:

> Direct exploit

> * obtain IP addresses of any avatar

> * obtain the country of origin, even the location of the SL user depending on the DNS information or additional information from hacking tables

> * in case of static IP addresses, such as for companies, link an SL user to a company (or, e.g., his private business)

> Enhanced exploit

> * With the necessary tools, a hacker could be able to obtain personal data by attacking the PC of the SL user (Trojan horses, etc.).

> * Since the SL User does NOT know about the website/server he actually connected to, this a major improvement for any hacker or bot network! Instead of having to hack websites to get a user connecting to a dangerous webserver, this is a direct and invisible way.

> * Due to the amount of concurrent users on SL, this is a dream situation for any serious hacker.

> Extreme possibilities

> Any hacker with experienced SL knowledge is able to link SL information about an SL user to the real individual once he has the connection.

> The anonymity of the SL user is completely undermined in this way.

> Additional Concerns...

> Given the fact that SL users completely rely on anonymity concerning their Second Life, including being part of several groups, including adult-related groups, blogs and posts on the internet,.... the real individual can be subject to DIRECT blackmail from the hacker(s) or hacker groups.

> Linden Lab might experience serious trouble if SL users blame the company for Trojan horses and viruses on their PCs, as well as the lack of protection of privacy.

> Final Remarks...

> Even a proxy server would have issues beyond those of heavy traffic. It would allow people to surf anonymously, and also prevent the logging requirements of each country's state security. Or, in case of less "free" countries, circumvent their own system (China,...)

> In theory, this was also possible with existing parcel media streams. Due to the ownership and parcel media restrictions, and also because they were limited to audio or video streams, developing and using a working exploit was less obvious.


--

This message is automatically generated by JIRA.

If you think it was sent incorrectly, please contact your JIRA administrators:https://jira.secondlife.com/secure/ContactAdministrators!default.jspa

For more information on JIRA, see: http://www.atlassian.com/software/jira


 

 

Link to comment
Share on other sites
Sy Beck

Sy Beck

Posted
Posted

I just looked and you are on the "watch" list Eloise.  It is weird though because I don't see any recent update, but then again I could be looking in the wrong place as I hardly ever visit the JIRA.

 

And yeah i see what you mean, I'll leave it to more experienced JIRA folks to comment.

 

 

Link to comment
Share on other sites
wiked Anton

wiked Anton

Posted
Posted

it certainly appears genuine, and the fact that the lindens provided an avatar name is worrying, but just goes to show they doen seem too worried about users information being collected. the fact that they mention someone AND ther alt and gave a few IP addresses makes it too easy for someone to connect the dots there......most wrrying indeed is the fact the LL doesnt consider IP collecting as an actionable exploit.......................................OMG

Link to comment
Share on other sites
Marigold Devin

Marigold Devin

Posted
Posted

This thread was updated today, which is why you got a notification in your email. I might be a little past my bedtime currently, but the person named in that screenshot upload must have given her permission to be named. (G.H. I mean). She was featured in a video a few weeks ago, so her RL identity is not a secret.

Link to comment
Share on other sites
Griffin Ceawlin

Griffin Ceawlin

Posted
Posted

"Upon request, the resident reporting this issue has offered to demonstrate the exploit documented below in safe place, with a personal guarantee that the obtained data (such as IP addresses) would, by definition, only be used for the risk test and would be scrambled and/or deleted immediately afterward."

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 4538 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...