The Alphaville Herald

Say It Ain’t So, D3adly — Avatars United Takes A Hit, Yet Again

by Defne Demar on 23/05/10 at 8:25 pm

You don’t hear much of d3adlyc0d3c lately, except on the comment sections of various blogs. You definitely don’t see him in Second Life. Did the deadly disease get the best of him and take his hacking career down? Not really, says D3adly. But he seems to have gotten “less” deadly, that’s for sure.

Explaining that he misses Second Life sometimes, he openly admits that whenever he starts back up again he “really always end[s] up clashing with the wrong people and then going on some sort of stupid griefer rampage.” That doesn’t mean he stopped messing around in the digital playgrounds of the Interwebs. Apparently, Avatars United, with its questionable infrastructure, became one such playground for D3adly.

Avatars United has seen plenty of feedback from d3adlyc0d3c

Back in February, Alphaville Herald had reported on the security holes of this newfangled social networking site for avatars. Some residents even questioned the necessity of such a social networking site, suggesting that since Second Life itself is defined (by the Lindens) to be a community site, this sloppy attempt at improving the experience (not to mention attempt at a likely competition with Facebook) via an insecure and immature AU site is a questionable move at best. Problems? Set aside the fact that we are officially social-networked out (yet another site to log onto!), the anonymity of the site lends itself to impersonation and deception. For instance, there appears to be more Linden employees on the site than in real life. Not your problem? Surely you have heard about the security holes.

After having read our coverage on AU, D3adly, curious to discover some of these vulnerabilities, opened an account and started testing the site to figure out the extent to which the site was insecure. His results are mind-blowing. He confirmed what some of us had suspected for awhile now: the site was seriously insecure.

Having figured out how that the AU system generated security tokens for its users and what these tokens meant, D3adly was able to “forge” requests being sent to the server to generate these tokens and, in doing so, accessed other people’s accounts and applications. While acknowledging that his motivations were merely based on curiosity and a genuine desire to help the Lindens in finding bugs, he says that anyone with questionable intentions could have used the compromised site for malicious purposes.

In addition to injecting HTML IMG tags into a number of AU profiles using the aforementioned bug and forcing a group of users (such as Soft Linden) to send him friend requests, he was able to spoof messages that appeared to come from anyone he wanted, including from FBjork, the AU developer and the founder of Enemy Unknown, and inject messages into other people’s message threads and read private messages between users. I must say, glancing at the samples of private communication between users did not surprise me one bit. But receiving them from someone who made his career out of griefing and crashing sims left me a bit uneasy.

For those who are wondering what D3adly will do with this, rest assured: his malicious days are long gone. He can barely remember his days in the PN or even in Dissention, a three-week griefing group where he and several other folks crashed sims and hacked their way into the Linden network in Facebook to gather information about the LL employees from their profiles for nothing more than maybe sending them flowers — OK, maybe there was a little more intention involved. Instead, he reported several dozen security issues to Soft Linden with the understanding that they will be fixed soon – but not before teasing Plastic Duck.

Responding to an argument that the two had in Facebook, D3adly hacked into Plastic’s profile (who allegedly hates Chans) and modified his AU profile to an image of the Anonymous, and made him shout in his status, “I think I liked the Chans now.” We feel for Plastic. But our concerns are somewhat different. Will the security holes be fixed sooner rather than later? Remains to be seen. As Plastic Duck once said in an interview: “I’ve noticed with Linden Lab telling them to fix something isn’t enough. You need to exploit it to hell and cause half of the SL population to freak out before anything is done.” True, but other relevant questions are: Do we need yet another social networking site? Will AU make the experience of SL better? My guess is, no & not likely. All avatars are already on Facebook anyway.