WOW!! Just wow! As if the default security settings in Avatars United weren't bad enough (they expose your email address to untrusted applications), Isoz Bioworm has uncovered two new vulnerabilities that are far more serious. One is cross-site-scripting (XSS) exploit, which, as I've learned, is a way that a hacker can redirect your browser to a malicious site.
The demonstration is particular creepy -- it shows three exploits based on the same method. A script is inserted into the "Comment" field of an Avatars United blog post. When someone browsing the blog gets to the comment, it automatically displays in image, popup or even another website of the hackers choosing. It's just a simple matter of making the other site look like an official Linden Lab one, ask for your password to continue and poof, you've lost your account.
The second exploit shows how an arbitrary file can be uploaded to AU including .exe, .html, etc. This could be used to gain entry to AU servers themselves.
Until Linden Lab brings this crap under control, I will not be using Avatars United. So all you peeps who have friended me without response, you'll just have to wait a bit longer.
UPDATE 2/16/10: Linden Lab has responded to my JIRA and says that both vulnerabilities are being fixed. As to the email issue, Soft & Yoz Linden both say that OpenSocial is not capable of returning an email address itself back to a plugin app. However, a number of people have reported big increases in SPAM after signing up for AU so I still have questions for teh Lab on this.