[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6905b1570709160352y3c7f893cq983c8e7078c4cbc7@mail.gmail.com>
Date: Sun, 16 Sep 2007 11:52:22 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: IE (Internet Explorer) pwns SecondLife
http://www.gnucitizen.org/blog/ie-pwns-secondlife
E (Internet Explorer) pwns SecondLife. Before going into details why
and how it happens, I would like to bring your attention on SecondLife
for a moment. For those of you who don't follow cutting edge
technologies, SecondLife is a massive virtual world located on a
couple of hundred workstations on-line. The cool thing about
SecondLife is that you can do all kinds of things like expressing your
artistic side, communicating and of course making business. There are
a lot of money into SecondLife. Not that long time ago, there was this
girl who made $1000000 (a million) out of the on-line world. This
means that today crooks are after your virtual persona rather then
your physical self. Therefore, security in virtual worlds is almost as
important as security in the physical world.
Now let's get back to the real issue. Attackers can steal the victim's
login credentials, therefore hijacking their virtual persona, by
simply tricking them into visiting a malicious Web page.
It is automatic and the user doesn't have to do anything (no user
interaction is required). I would rate this issue as Medium risk
although if the victim have a lot of Linden dollars ($L) then the
situation becomes quite critical. At the time of writing 1$ can be
exchanged for 268.15$L.
So, let's stop thinking only one dimension for a moment. Compromising
the integrity of the browser or the operating system is cool but is it
really worthed? Attackers are after your money not your pictures or
school essays. Think about this for a second.
cheers
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists