May 14, 2010

Something's phishy with Second Life signatures

After the great phishing exploit of the Second Life Blogrums, Linden Lab disabled "certain features" of the Jive SBS (aka Jive Turkey) software that runs the forums / blogs. As it turns out, those features included some of the most common ones used by residents: quoting, smilies, bold formatting, images (to be expected) and video (to be expected).

Next on the hit list for security was Linden Lab limiting images on XStreet SL to only those served by Linden Lab's own servers. So no more YouTube vids or similar product demos. While none of those really affected me directly other than the royal PITA the blogs have become to use (as if things weren't awful enough), I found that trying to update my secondlife.com profile signature to use an <img> tag failed utterly. What I couldn't understand was why other residents had working active sigs with animated GIFs and all but I couldn't even stuff a stupid static GIF even off of an XStreet listing.

Several of us starting posting about this and low and behold, up pops Yoz Linden with this gem:

Yoz Linden post in SL blogs

So basically, sigs with images are grandfathered for residents who already had them because Linden Lab "assumes" they are safe. But anyone trying to update theirs is SOL. What a crock!!! I'm no webbie expert but from what I've learned (thanks in part to friends Patchouli Woollahrah and Maggie Darwin), it's trivial to replace an existing image with something malicious. It's not just the <img> tag itself that can be used maliciously but the file being linked to as well.

Plus, even if simply disabling sig editing is a sound technical answer, letting some residents have image sigs while others can't is inherently unfair.

On top of this, no one has said anything at all about the potential security holes in "Media on a Prim" (MOAP) which lets those so inclined watch even more pr0n from inside Second Life (she says sarcastically).

OK so again I ask the question, WHY did Linden Lab throw away vBulletin in favor of JIVE SBS (Clearspace)? Oh yeah, the reasons they gave were because vBulletin wasn't secure and wasn't scalable. Yet, as I pointed out here, some of the biggest community sites in the world (with far greater hacker exposure) run vBulletin and phpBB. JIVE SBS doesn't even crack the top 500 for sites in terms of posts or user base.

So let me translate Linden Lab speak for you. "We had no clue then. We have no clues now. We like shiny things. Ooooh SQUIRREL!!"

1 comment:

  1. "We had no clue then. We have no clues now. We like shiny things. Ooooh SQUIRREL!!"

    ROFLMAO.....Too Funny....except it's true.
    404 aka clueless

    ReplyDelete

All thoughts are welcome.