Vivox Torn Apart

Suddenly, hacks! Apparently, Vivox is being torn apart by a few malicious folks, but one stepped forward and released a few screenshots, then reported the exploits to Vivox. (This is the same method used by Phox way back when he disabled Hazim’s voice account, remember?) He just now released login credentials (which may or may not work) to the Vivox admin portal, which may or may not work, but to prevent any legal action we can’t repost them here. However, if you look through the recent Alphaville Herald article and its comments, you may find them. Basically, Fractured and Phox (Lonely Bluebird) obtained access to the administrative panel of Vivox, the voice service for Second Life. This allowed them to listen to or even join in on any conversation anywhere in the grid, including on private estates and Linden-owned sims.

However, note that this is not the same exploit that TOBSDA used to record his videos, which was much less elaborate:

I just went to EP with random alts and put my voice dot wherever Fractured/Arabella/Phox were. If I was able to hack viviox like Fractured did. I’d have allot more recordings. (Since phox and fractured had a closed off parcel with a private voice channel.)

Hazim says Vivox’s admin dashboard fails to check credentials and is essentially “wide open”.

Additionally, Fractured and Phox were able to use a server-side “requestxfer” exploit combined with a “rogue sim” exploit to be able to transfer any file on any Second Life user’s computer without any notice or indication thereof. (That’s why TrueCrypt is a good thing, kids!)

Plastic Duck: jcool was abusing the shit out of that one
Plastic Duck: to download files from peoples computers heh

[8:51:20 AM] hazim: yeah
[8:51:27 AM] hazim: the rogue sim thing + requestxfer
[8:51:30 AM] anonymous: What was he able to download?
[8:51:34 AM] hazim: anything on the computer

Of course, Linden Lab says nothing ever happened.


~ by NJenkins on August 30, 2010.