February 1, 2010

SPAM via Avatars United?? Security black hole?

Since joining Avatars United, I have started to get more spam on my (non-public) email account which I use for Second Life. Going back through the privacy settings at AU, under Manage Applications, I found that the defaults for uninstalled applications had "Allow non-installed applications to access my friends list" checked AND "Allow non-installed applications to send me e-mails, notifications and Inbox messages."

Holy crap!! That looks like an open door for anyone who wants to write an app to grab my email address and start sending me spammy stuff. I've unchecked those settings (see the yellow highlights in the piccy above) but this is really disturbing to me.

Anyone else seeing this?

UPDATE: Here's another point of possible unwanted intrusion. It's in each of your installed applications settings. Shoutbox is shown here. It's "Do not prompt me if this application requests permission to access my data". Yeesh. It's checked by default too.

13 comments:

  1. Yeah and I've had 50 million friend requests from people I've never heard of! Heck they're not even in my circle on Facebook. AU has a lot of promise but this thing is looking more like alpha software than beta.

    ReplyDelete
  2. Thanks for the heads-up, Snickitty! :)

    Now, back to "disuniting" from all the strangers who want to sell me stuff inworld...

    ReplyDelete
  3. I should note what happened to me at one of my work offices, where I happened to go on my lunch hour to read the Linden blog, then look at the new AU site: I immediately caught two versions of the awful virtutrade trojan virus. I swear these people at work don't have as good systems as I have at home. I had to Spybot for an hour to get rid of it. Of course, everyone told me it came from one of these two sites, and I'll have to figure it was AU not SL.

    ReplyDelete
  4. Virtutrade trojan? I tried googling that and came up with virtumonde but nothing else. I spent a fair amount of time on AU Sunday and nothing got flagged by my AV as weird. To be safe I just ran two scans and still nada which is a good thing.

    But, the site itself is clearly a security death trap just for the way it handles privacy and application access to your data. So it wouldn't surprise me in the least if there was other malicious stuff lurking. After all, most of the avatars who were already there are from war games.

    ReplyDelete
  5. Thanks for posting this. Apart from the nuisance of spam (which GMail is pretty good at filtering out), there is even a larger risk of unwanted RL-identity exposure. I blogged it and linked to your post: http://stindberg.blogspot.com/2010/02/potential-rl-identity-exploit-with.html

    ReplyDelete
  6. The worse is not spam, but the possibility that people using RL email addresses can get their RL identities exposed: http://zonjacapalini.wordpress.com/2010/02/16/potential-rl-identity-exploit-with-avatars-united/

    ReplyDelete
  7. Thanks Peter & Zonja, I hadn't thought about that aspect. I've used an avatar specific gmail account since my 1st month on SL after I realized how close I came to replying to IMs offline and leaving my RL signature in the reply. That's when I knew I needed to use gmail. :)

    ReplyDelete
  8. Guys, I really really hate to whine but seriously, what's up with all the sensationalist headlines and "security black holes"?

    Let me get straight to the point:

    There is NO way for an application on Avatars United to get access to your email address, *regardless* of your privacy settings (or any settings) or whether you have the application installed or not.

    I really wish some of you spent a little more time researching before spreading "security black hole" rumors around. If you spend 5 minutes going through the API documentation, you will notice that the AU OpenSocial container exposes very little information to applications or other OpenSocial clients.

    For example, your emails, age, address, location, gender, interests, network presence, timezone, and a number of other information is NOT ACCESSIBLE through API, regardless of any privacy setting. And please note, all these fields are part of the standard OpenSocial specification and are normally accessible (depending on privacy settings) on most other OpenSocial containers. Ever wondered how much information you're exposing by using Google Friend Connect (also based on OpenSocial)?

    Even if your settings allow other AU applications to send you email, your email is never exposed to the application. In fact, the AU server is doing all the sending *on behalf* of the application.

    This means that all application emails will come from "noreply@avatarsunited.com" and are easily identifiable. Additionally, every email includes this line:

    "This message was sent from the [APP NAME] application".

    Which means you can easily identify the sending application and adjust your settings accordingly.

    Yes, I tested all this. And yes, I don't belive you when you tell me you're getting more spam after you signed up with AU.

    Now, I don't want to downsize the important of security - as a developer, I'm a sucker for security issues. And Avatars United currently has a few discovered security issues, which will hopefully get fixed asap.

    But the reality is, no software can ever be considered 100% secure and security flaws are regularly discovered with software that has been in existence and development for over a decade. Every software or script, including popular forum engines, social networking scripts, CMS and blogging systems, etc. are always patching up security issues and getting new ones discovered. That's the harsh reality of software development and there's nothing sensational about that.

    I agree that AU developers should at least acknowledge they are working on the issues, but not publicly discussing security flaws until they've been patched is a common policy too.

    ReplyDelete
  9. Yvw :-) It took me more than one year, after I had grossly goofed more than once :-( I think that making people aware of this problem is always a good thing -- having a RL email is always a security risk.

    ReplyDelete
  10. @MSo -- Read my latest blog post on this. Both Yoz & Soft Linden have said the same thing about how OpenSocial applications are implemented. However, that does not stop the fact that many people, myself included, noticed an increase in SPAM right after joining AU. And FWIW, Linden Lab has acknowledged in the JIRA that the XSS and arbitrary file upload vulnerabilities DO exist and they are being worked on. Soooo, all in all, the net result is positive out of my and other's blogging!

    ReplyDelete
  11. @MSo: Your clarification is very welcome. Anyway, I think the "don't discuss security flaws until they have been fixed" politics doesn't apply to this case. Peter's post was a call for immersive users to use avatar emails instead of RL emails, and it's never a bad time for such a call. In any case, the people at AU need to hire somebody competent to write their messages. I'm a computer literate person, but I don't have time to spend "5 minutes going through the API documentation" -- heck, I don't even know which documentation you're referring to! :-) In this sense, I think Snickers post goes well to the center of the question.

    ReplyDelete
  12. @Snickers: I don't have anything against blogging about it (and I enjoy reading your blog), I just think that posting claims like "AU exposes your email address to untrusted applications" causes more confusion than it does good. Your email address on AU simply can't be accessed by a 3rd-party app unless someone is doing something illegal (like trying to hack into your account or the servers).

    Verified security vulnerabilities are a whole different (and serious) matter and like you said, LL has acknowledged them and are working on them.

    @Zonja: I didn't have Peter's post in mind when writing my comment - and I completely agree with his call to keep avatar and RL separate, especially if you're an immersive user.

    As for the documentation, I wasn't implying that the users should read the API documentation, but if you're going to post a claim that reads as a fact, it probably wouldn't hurt to check the API - you'd realize the API doesn't enable you to just whip up an AU application that goes around stealing people's email addresses.

    Security vulnerabilities aside, I personally think there is nothing wrong with how privacy is implemented on AU, since none of your potentially sensitive data is exposed.

    As for increase of spam emails, I haven't experienced that myself and I'm signed up with one "real" account and two for development purposes.

    I'm currently going through the standard apps and checking if there's a possibility of user's email address being exposed somewhere in clear text or something similar, but so far I haven't found anything that could enable any scraping of email addresses.

    ReplyDelete
  13. have you even considered the possiblity that some other form of spy-ware has infected your computer and harvested your email? its possible the timing was just very bad and happened around the time you signed up for AU.. I have been noticing a lot of spy-ware on my friends machines and a lot of them also saying their machine appears to be doing things when they are not using it.. Its very possible your machine has been compromised in some other way.

    ReplyDelete

All thoughts are welcome.