|
|
|
[
Permlink
| « Hide
]
Gordon Wendt added a comment - 09/Jun/08 02:17 PM
This is really an issue for support, I'd suggest opening a ticket at http://support.secondlife.com
 From other sources of information i've been reading on this particular situation, the account in question has already been banned. I think what Phoenix is trying to bring to light here is the question of whether one such copybot (under any circumstance) would be able to clone a position within any given group (along with the permissions given to members in said role).
If so, this could be especially harmful if the malignant user were to decide, for instance, that he wanted to maliciously kick other people from the group, or maybe do something irreparable to the group's land. As such, i believe it is relevant to JIRA and needs to be addressed. This was revewed and tested using the libsl test client. Trying to join a closed group fails after the join request with "Second Life: You cannot join '[group name here]':
The group no longer has open enrollment." I vote this remains closed. Dante, I agree if there is a bug in groups or such that allow this then it needs to be addressed however there is no info on whether that's possible and that's not really even the described issue it seems.
Stop closing this issue. Over ten of us were present in world when this happened. If it gets closed again I'm reopening it unless it's locked by a Linden.
Whether this was done strictly via the libSL client or a hacked/modified viewer is irrelevant, I watched with my own eyes what happened and it's clearly indicative of a security vulnerability that needs to be addressed and not swept away as "Well I don't have the skills to hack it myself, ergo no one else can." Updated the JIRA issue a bit to clarify the problem.
Hi again everyone... If you are all so certain this is a security vulnerability then it needs to be moved to SEC - Security exploits
However simply taking someones profile picture, skin textures and joining groups there in is not. Why? Becuase you can do all those things without a special program. The only thing that is not posible without a special program (and then only becuase the button is not visable) is joining a closed group. So move it to SEC. Also I didn't close the issue. I never do that without leaving a few days for responses. There's no harm in it being made here as well. The ability to join closed groups is a security vulnerability in and of itself, not the least of which the fact that despite the bot being able to just join as the "Everyone" roll, many group owners who operate closed groups assign full responsibilities to that roll because they assume nobody except those invited can get in to begin with.
There's no detriment to a public JIRA issue being made about this to raise awareness. As this is going to serve as a public awareness message rather then a real issue I suggest adding the workarounds that were discussed such as having your group require payment to join.
Take no offense to "rather then a real issue" I only say that because of the fact this is missing repro, therefore making the issue impossible to fix at the moment. Because you and I can't reproduce this because we lack whatever client was used (and I know I'm not willing to open myself up to a ban for trying to brute force my way towards figuring out how they did it) doesn't mean the Lindens can't, having, you know, greater access to the entire security substructure and all that.
Folks, I think it's pretty naive to assume that trying to join a closed group in whatever off-the-shelf libsl stuff you download is a sufficient test of whether it's possible. This person could well have been using an exploit that's not publicly known, or using a custom-hacked client. All I know is that one of our friends who was in the room with us said the botter had joined her invite-only group, and was added in the Everyone role, and she had to eject the guy from the group. I don't know the group name, but as it was her personal group, I expect her to know the permissions she's set on it. None of us here knows exactly what this person was doing and what software they were using. By closing this jira you could be holding the window open for people who know of this exploit, if the exploit does indeed exist.
Is there a snapshot of the profile showing one of these invite-only groups in the bot's profile?
(note, no one has CLOSED this issue, they have resolved this issue, which means "sent back to the reporter for reconsideration")
I'd be glad to move this to SEC if necessary. If any details of how to reproduce this exploit are posted here, that would be the best course to take because it would give LL time to fix it before others start exploiting it. It would help if we know what group(s) the person joined, the name of wildefire's friend whose group the person joined, and the name of the person who was doing the copying. The approximate time might be helpful too, in case LL has logs. If your friend doesn't want their name or their group's name made public here, I can move the issue to SEC where it won't be visible by the public. As suggested above, it might be a good idea to open a support ticket as well to get more immediate attention to this issue. @phoenix psaltery - Please file a separate ticket in the SEC- (security) project with the closed groups that this avatar was able to join. We can do more research with that information.
Thank you |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Resolved
Major
Potential security vulnerability with account that was able to "copybot" not just items and attachments but also profiles and access closed-enrollment groups
