17 September 2007

XSS Attack on Second Life logins and My Recommendations

(Special Thanks to Ordinal Malaprop for pointing this one out)

pdp over at GNUCITIZEN highlights a serious exploit that affects Windows-based Second Life Users. Read this like your SL depended on it, because it does!

Explaination of exploit:
The exploit basically uses a inline frame tag with a deliberately malformed set of parameters. (This is a common trick in Cross-Site-Scripting Attacks) it passes what is apparently a secondlife protocol link, which should fire up the SL client by default and pass along the parameters following it.

In a proper secondlife:// link, it would simply be a sim name and XYZ coordinates in a segmented URL). However, this hack truncates the URL awkwardly and instead passes on command-line options that specify that the client should fire up the client and automatically and submit login details, including a MD5 hash of your password if "Remember Password" is enabled in the client, to a specified server at another URL other than the one for the Agni or ADITI grids as run by Linden Lab.

This is a severe compromise, as a false login can be performed at the genuine Second Life authentication servers simply by playing back the request from start to finish (actually logging into the Second Life website would require a further step of unscrambling the password hash, which is possible, albeit tricky, no thanks to pregenerated 'rainbow tables' from projects established to break MD5.)

Until this issue is publicly addressed and fixed by Linden Lab, my recommendation would be to disable password caching by unchecking "Remember Password" at the client login screen. An attempted auto-login would still send your name and client version and type as in a normal login request, but without a saved password to hash, no password will be sent along, rendering this exploit mostly useless.

Switching to Firefox would also help. The vulnerability in IE that is used to run this exploit also used to exist in Firefox, but was patched within days of recognising its existence (yay for FOSS). Attempting the same attack on a updated copy of Firefox would merely result in Second Life being passed a odd "Startup Location" rather than actual command line options (with the security leak that could be used to create)

No comments:

Trinkets from Zazzle! (A sponsored Link)

Support the insanity, buy a mug! Or a pad. Or something.