February 16, 2010

More Avatars United security holes

WOW!! Just wow! As if the default security settings in Avatars United weren't bad enough (they expose your email address to untrusted applications), Isoz Bioworm has uncovered two new vulnerabilities that are far more serious. One is cross-site-scripting (XSS) exploit, which, as I've learned, is a way that a hacker can redirect your browser to a malicious site.

The demonstration is particular creepy -- it shows three exploits based on the same method. A script is inserted into the "Comment" field of an Avatars United blog post. When someone browsing the blog gets to the comment, it automatically displays in image, popup or even another website of the hackers choosing. It's just a simple matter of making the other site look like an official Linden Lab one, ask for your password to continue and poof, you've lost your account.

The second exploit shows how an arbitrary file can be uploaded to AU including .exe, .html, etc. This could be used to gain entry to AU servers themselves.

Until Linden Lab brings this crap under control, I will not be using Avatars United. So all you peeps who have friended me without response, you'll just have to wait a bit longer.

UPDATE 2/16/10: Linden Lab has responded to my JIRA and says that both vulnerabilities are being fixed. As to the email issue, Soft & Yoz Linden both say that OpenSocial is not capable of returning an email address itself back to a plugin app. However, a number of people have reported big increases in SPAM after signing up for AU so I still have questions for teh Lab on this.


  1. Holey Swiss cheese, Batman!

    Any idea if teh Lab itself is aware of any of this?

  2. I have no idea but I just posted a JIRA for it.

  3. Thanks for spreading the information Snickers.

  4. Thanks for giving special attention to this case! ;)

    At the moment the security flaws are heavier than before, its possible to the 'attacker' to gain access of the whole someones profile by server side fake authentication. Enables me to shout for you, add as friend without approval and many others, I could even intercept the AU administrator PM's but thats another case! ;)

    I'm not reporting anymore to the AU support e-mail because of their lack of attention and ignorance, I got banned on a non-test account inside AU that I used to promote my stuff w/o a reason atm.



  5. Hey Isoz, have you documented the new exploits anywhere?


All thoughts are welcome.