by Alphaville Herald on 14/02/10 at 8:42 pm
Two apparent security holes found Linden Lab's new social media site in one week
by Pixeleen Mistral and Senban Babii
Avatars United security issue reported February 7 is followed by nearly identical hole on February 12
After Alphaville Herald reporter Senban Babii quietly notified the Avatars United web site of a potentially exploitable problem in Linden Lab's new Facebook for avatars social media web site February 7th, the Herald staff was gratified to hear from Fredrik Björk, Co-founder & CTO of Avatars United that the issue had been addressed on February 8th.
If only the story had ended there.
We also assumed that after Mr. Björk fixed the immediate problem, he would take a close look at the rest of the AU site for similar exploits. So it came as a surprise to find that the slapt.me forum buzzing today with news of another very similar exploit – this time for the Avatars United blog tool.
On Ms. Bioworm's Vimeo video page, she claims to have contacted the Avatars United staff without a response, and while this demonstration of forcibly redirecting an AU session to Google seems innocent enough, the episode raises troubling questions.
One might wonder at the Lab's sudden compulsion to compete with Facebook via an insecure and immature Avatars Unlimited site. How much due diligence was done on the AU technology before herding the Second Life community to a site without identity verification, and what is now appears to be a string of security issues? While we understand that Avatars United is still a test site, perhaps Mr. Björk will want to correct the newest issue? Soon?
Senban Babii warns Avatars United of a problem:
Subject: Security Issue With Avatars United
Date: Sun, 7 Feb 2010 21:11:18 +0000
Earliertoday, I noticed that the Avatars United social networking site has apotentially seriously security issue. Could you therefore please passon the follow information to the appropriate members of the team sothat the issue can be dealt with rapidly? Thanks in advance.
[exploit description elided]
the response from Avatars United:
Subject: Re: Security Issue With Avatars United
Date: Mon, 8 Feb 2010 12:28:33 +0100
thank you for reporting this! This issue has now been fixed.
Please let us know if you should find other similar issues on the site and we'll do our best to fix them.
Co-founder & CTO
Enemy Unknown AB