Security Flaw In The Second Life Web Site

[Perrie Juran]

I was glancing at another thread and saw this comment and it reflects a problem that I have seen:

http://community.secondlife.com/t5/Make-Friends/Not-easy-being-green/td-p/1278435

 

---

Alishen wrote:

Hello,

I have not played SL in years,and when I did it was very short lived.

now have a new roommate who really enjoys SL and has talked me into trying again.Speaking of her I found a neat bug in the forums..we have a computer in the living room that is more for reading the  news and emailing  we both share.I log into the main site with my account,but when I came into the forums and posted the first message it was in her account..If I use the back button I go back into the SL main site and once again I am me log in under this name.I had to log her out of the forums and log my self back in.Kind of wonky.

---

Please note carefully the part I bolded.

Let's say I have two alts, HeavenToBetsy and HeavenToMergatroid.  (names are changed to protect the guity).

I log in Betsy to the Main page (dashboard) and then decide to open the Forum page in a separate tab.  I click on Log In and find myself automatically logged in under Betsy's name.  But while I am here I remember that Mergatroid needed new underwear so I go to the Market Place on that second tab.   WITHOUT being prompted for a password I find I am logged into Market place as Betsy.  But Betsy didn't need new underpants so I log her out and log Mergatroid in, do my shopping and close that tab without logging out.

Then I decide to go back to the Forums and as the OP did above and find that instead of being on Betsy's account I am now on Mergatroids!  So now I have two accounts logged in AT THE SAME TIME!

Then I decide I want to comment on a JIRA I see mentioned in the Forum.  I get logged in automatically and find I'm under Mergatoid's account still.  (Actually, I couldn't lock this one down....it varied which account I found myself auto logged in to the JIRA).

This for me individually might not be a huge issue, but in Alishen's scenario above,  if he was pissed at his RL GF he could have flamed and trolled the Forum without her knowledge, spent all her Linden dollars on the marketplace buying her every version of prim penii available as well as several Zion Chickens, A Vampire avatar and what ever else might have struck his fancy. Then when done with that he could have continued to the JIRA and Flamed that also.

All this WITHOUT his GF giving him her password and WITHOUT her knowledge.

So the bottom line is this, WE SHOULD ONLY BE ABLE TO HAVE ONE COOKIE  ACTIVE AT A TIME across all the different sections of the SL Website.  Cookies are remaining persistent when they shouldn't be.

 

 

[Charolotte Caxton]

Isn't that the way every site on the web is like?

Like when you check your bank account, instead of just closing the window, you should always log out and then close the window. Also, if you check your Yahoo or Hotmail account, before you get up, you log out and then close the window, especially if you are on a shared computer.

I believe that is how you would also treat the SL website, if on a shared computer, logout then close the browser window.

Is this what you mean? Or is there a greater security risk to us?

[Perrie Juran]

I agree with you that good security practices should be to log out and close your browser.  But not every one practices good security habits. 

But part of what I found was that if I closed the forums, marketplace and JIRA tabs, Logged out of the Dashboard but If I HADN"T closed my browser, although I had logged out of one section, I was still logged into the others.  The funny thing was the Dashboard still asked me for my log in info in that scenario, hence I again had two accounts logged in at the same time, even though it was separate sections.

Point is, the person may have thought they had COMPLETELY logged out but in reality they hadn't.   They may not have realized they needed to log out of each section individually.

[Charolotte Caxton]

Ohh, I see. Good point.

[Perrie Juran]

p.s, on a side note, i think it should be against the law for any web service to provide a "remember my password" option.  That is the dumbest, most un-secure thing any web service could offer on a log in page.

[Charolotte Caxton]

No!!! I love the remember my password option, I use it everywhere, it saves so much time. Every site just about wants a password, I would spend half my life retyping passwords if my computer didn't remember them for me

[Perrie Juran]

---

Charolotte Caxton wrote:

No!!! I love the remember my password option, I use it everywhere, it saves so much time. Every site just about wants a password, I would spend half my life retyping passwords if my computer didn't remember them for me

---

I use a password manager.  I use a long password on it and change it periodically.  It has an auto fill function.  There are several good free ones available. 

[Charolotte Caxton]

Yes? Cool, I should look into those. I use Chrome's autofill, it gets annoying sometimes, and it always clears when I clear my browser (obvious I guess) but it saves some time.

[Canoro Philipp]

i would find it more easy too to log in one time to all the parts of the website, marketplace, jira, forums, but some felt insecure and asked for different logins for each part of the website.

[Peggy Paperdoll]

Remembering log in information is an option.  You must enable it before will remember.  It's up to the individual to decide what he/she wants the software (website, game, computer, etc.) to do the work for you.  That's what those password lockers do....the difference is that it's third party and it resides on your computer and not some extermal server.  People always want some law to protect themselves from themselves......why not learn what security practices you should use for your personal needs instead?  It's not difficult at all since almost all security practices are simple common sense things.  Sure it's easier if the machine does it for you........but is it secure?  Probably not very.  But developing software that does the "hard work" for you is convenience......and if you know the negatives you can make the decision yourself whether or not to use it.  A law is not necessary. 

 

Here's a law I think would help.......before you can open an account that give access to the Internet you must complete an accredited course on Internet Security/Safety (with a passing grade of at least 75%).  Without proof of such certification on file you cannot have any account the allows Internet access.  Would that not cut down on Internet crime?  Woiuld that not make the Internet a safer place for us all?  Wouldn't that be a great law?  I mean, come on now, if you want it against the law for websites to give users an option to "remember me" why would you not support my law?  I can answer that......Because my law is ridiculous.  But not anymore ridiculous than your law.

 

Think about it.

[Ceka Cianci]

mine is set up so that when i close my browser that i log out of the forums..all i have to do is sign in and my name is the one that pops up..if my husband  wanted to use the forums..which i hope he never finds them lol..

he would have to sign me out and then sign in himself..

it's because i have the forums remembering me so i don't have to sign in each time by typing in..same for the log in to the site or the feeds..they are all seperate login's for each thing..

just as with the market..they are all different things..

this is only for people that use the same computer that there would be any kind of a risk.not for people that are on different browsers..

if he is on his laptop he wouldn't have to sign me out..just if he uses my browser..our browser i mean hehehe..mine really but let him think what he wants lol

[Perrie Juran]

---

Canoro Philipp wrote:

i would find it more easy too to log in one time to all the parts of the website, marketplace, jira, forums, but some felt insecure and asked for different logins for each part of the website.

---

But you don't actually have to log in to the others because after you log into the Dashboard you don't have to enter a password to get to the others.  But conversely, if you log out of one part it should also log you out of the other parts.

[Eloise Baily]

All the more reson to make sure you log out of any site where your security might be compromised, don't you think?

 

[Perrie Juran]

my intended tongue in cheek is that they are enabling bad habits.

or in this instance, habits that are at least in my opinion not wise.  but it is still your choice.

 

[Peggy Paperdoll]

My intended tongue in cheek was to point out that it is an option.  An option that many take without even thinking about what they are opting to do.  The keep me logged in or remember me option many (most) websites that have password required log ins is for the convenience of people who should know what they are doing.....unfortunitly, many don't.  Making the accusation that it's a security flaw when, in fact, it is a designed option shows a very real lack of understanding Internet security.  That's my point.........people are their own worse enemies in so many cases.

[Peggy Paperdoll]

Absolutely.

[Perrie Juran]

---

Peggy Paperdoll wrote:

My intended tongue in cheek was to point out that it is an option.  An option that many take without even thinking about what they are opting to do.  The keep me logged in or remember me option many (most) websites that have password required log ins is for the convenience of people who should know what they are doing.....unfortunitly, many don't.  Making the accusation that it's a security flaw when, in fact, it is a designed option shows a very real lack of understanding Internet security.  That's my point.........people are their own worse enemies in so many cases.

---

But on the SECOND LIFE WEBSITE it is not an option.  It is a "feature."  No where on the web site does it ask you whether or not you want to stay logged in.  So there is a weakness in that you can LOG OUT of one section and still unknowingly remain logged in to the others.

So I could reply that not understanding the danger in this weakness also shows a real lack of understanding.

[wiked Anton]

its your computer doing all the remembering, set you computer to not remember passwords, clear your chache, and you should find that you will be asked for a password every time

[Perrie Juran]

---

Eloise Baily wrote:

All the more reson to make sure you log out of any site where your security might be compromised, don't you think?

 

---

I agree with the make sure. 

And my computer is set to clear all cookies and passwords when I close my browser.  And I don't walk away with my browser open.

[Peggy Paperdoll]

I don't know if you and I are arguing on the same side or not.  I just did an experiment and I think I know what you are concerned about.  It's the "Sign In" and "Sign Out" for the forums.  Yes, if you keep cookies you can gain access to whatever user's forum account page by clicking the "Sign In" when you come to this site.  Deleting cookies will solve that.  Someone trying to access your forum account and not using the same computer will have to enter both the account name and password.  I don't know if Market Place is the same but I highly doubt it since your account information is on a secure site......the forums are not.  I know your dashboard is on a secure site and if you do not enable the remember me option when you log in you will have to enter your name and password every time you go to your dashboard.........unless you have Windows remembering your log in information (which is also an opt in option).  And, of course, the same with your Second Life viewer log in.

Dashboard log in page

[Perrie Juran]

I stand corrected.........I never ever use the feature.

my bad

[Perrie Juran]

---

Peggy Paperdoll wrote:

I don't know if you and I are arguing on the same side or not.  I just did an experiment and I think I know what you are concerned about.  It's the "Sign In" and "Sign Out" for the forums.  Yes, if you keep cookies you can gain access to whatever user's forum account page by clicking the "Sign In" when you come to this site.  Deleting cookies will solve that.  Someone trying to access your forum account and not using the same computer will have to enter both the account name and password.  I don't know if Market Place is the same but I highly doubt it since your account information is on a secure site......the forums are not.  I know your dashboard is on a secure site and if you do not enable the remember me option when you log in you will have to enter your name and password every time you go to your dashboard.........unless you have Windows remembering your log in information (which is also an opt in option).  And, of course, the same with your Second Life viewer log in.

---

I think we both agree that good Internet habits are important.

Here is the scenario.

I cleared all cookies, history, etc in my browser.  (I use FireFox).

I logged into my dashboard entering my User Name and password.

I opened Market place in a new tab.  I was NOT prompted for my user name or password but found myself automatically logged in.

NOW, and I bet no one ever really thinks about in an active sense, but because I am doing other things on the web site rather than logging out of the Market Place I just close the tab. 

Then I finish looking at what ever I wanted to look at on my Dashboard and LOG OUT.

I decide to go back to the Market Place.

In my tests at least, I am still logged in to the Market place despite logging out of the Dashboard.

So where logging into my Dashboard automatically gets me into my Market Place acct, Logging out of the Dashboard does not automatically log me out of the Market Place.

That is the weakness (if you feel that 'flaw' is too strong a word) that the OP in the other thread I quoted discovered.   But in his case, it was to the Forum that he posted.  In his GF's name.

 

[Peggy Paperdoll]

Okay, I concede that that is not a particularly good idea to have both your dashboard and market place accounts tied together like that......they both are secure sites and evidently tied together in such a way that you need to log out of both indepentantly yet not necessarily for log ins.............I wonder if LL knows this.  It's most likely a setting in the software for the sites.  I don't use Market Place (I'm old school..........I shop in-world).  Someone (like you?) might start a JIRA.  I, too, think that's probably not a great way for security and both the dashboard and Market Place having personal financial information makes it even worse.

 

Thanks for explaining in one syllables so I can understand. 

[Perrie Juran]

---

Peggy Paperdoll wrote:

Okay, I concede that that is not a particularly good idea to have both your dashboard and market place accounts tied together like that......they both are secure sites and evidently tied together in such a way that you need to log out of both indepentantly yet not necessarily for log ins.............I wonder if LL knows this.  It's most likely a setting in the software for the sites.  I don't use Market Place (I'm old school..........I shop in-world).  Someone (like you?) might start a JIRA.  I, too, think that's probably not a great way for security and both the dashboard and Market Place having personal financial information makes it even worse.

 

Thanks for explaining in one syllables so I can understand. 

---

I browse the marketplace to find who is selling what I am looking for but generally make my purchases In World.

As far as JIRA's go, I will tell you my general feeling about them.

Several months ago I thought I saw a problem with a search term in the Market Place.  I had just discovered it and there was a thread discussing search term problems in the Market Forum.  I mentioned what I had just found.  The very next post was from a Linden asking why I had not flagged any of the items.  She asked me to go flag all the items (over 100!).  I had posted a screen shot of the problem.  All she had to do was make a note, we've got a "Big Problem In Little China."  The term and the problem was right there for her to see.

So my thinking is this.  Vaile or whomever Mr. Linden Lab is are going to see this thread.

They will decide whether it is important or not, no different than if I started a JIRA. 

After getting chastised for not flagging the items and being TOLD by an employee of Linden Lab to go do her job, I said NO MORE.

They get paid to deal with the problems.  I don't.

I've done my job by making it known as best I can to my fellow residents.

 

 

[Peggy Paperdoll]

Fair enough.....not exactly my way of thinking but I can see your point.  At least anyone who's read this thread is aware of needing to treat Market Place and their Dashboard as separate and even you don't need to log in to one if you've already logged into the other, you still need to specifically log out of both.

 

But back to my point.  Whether this is flaw or by design, everyone needs to take security seriously and don't rely on any software to do it for you.  Learn what Internet security involves and how to make the best use of it.  Windows, Firefox, Chrome, Linden Lab, Chase Manhattan or anyone else cannot do it for you........that's your job.  Do it and you'll be much less likely to be a victim.......let someone else do it for you and whine if something happens is your other choice.