The Alphaville Herald

Was Vivox Chat p0wned by Emerald Developers?

by Pixeleen Mistral on 30/08/10 at 12:16 pm

LindenWorld staff meetings an open book to ban-proof Fractured Crystal, Lonely Bluebird?

Did two Emerald developers – Fractured Crystal and Lonely Bluebird – taunt Emerald critic Hazim Gazov after using the Vivox voice chat admin portal disable Gazov’s Second Life voice? Were the rogue developers able to track Lab staff on private Linden-only islands? It appears so, if a screen capture provided to the Herald this weekend can be believed.

Over the last several months, a YouTube video and chatlogs have circulated, both of which strongly suggest both Fractured Crystal and Lonely Bluebird took the faction wars between the Emeralds and the Soviet Woodbury group to new levels after the Emerald’s site security was compromised and the data mining operation was revealed. This weekend, a source we will refer to as DeepYiff has provided the Herald with evidence the exploit that left Hazim Gazov speechless could also have compromised the security of all Vivox voice chat in Second Life.

While it is impossible to be absolutely certain that the screen captures DeepYiff provided are real, they appear to be the Vivox administration portal which can be used to mute, kick, or ban players from the voice service. The Vivox documentation also states that administrative users can listen in to chat channels without appearing to other users – something that may give pause to the Linden staff using Vivox chat for in-world meetings.  The screen capture below shows what is seems to be a Linden staff meeting in progress on the LindenWorld B private island.

click image for full size view

According to Emerald critic Hazim Gazov, both Joe Linden and Soft Linden were aware that some sort of Vivox exploit had taken place after Mr. Gazov reported that his Vivox chat had been disabled. However it is unclear what – if any – action was taken other than to re-enable Mr. Gazov’s voicechat.

While the Vivox admin screen capture appears to be a bit dated – 1/3 of the Linden staff shown are no longer with the lab, presumably due to the lab’s recent cost cutting measures – it appears to be common knowledge in certain circles that chat has been badly compromised.

I asked Plastic Duck for comment last night, and while he was unsure of the exact method Fractured Crystal (jcool) used, Plastic Duck thought it likely that Fractured Crystal had gained control over the Vivox admin interface.

Pixeleen Mistral: what do you know about the VIvox admin interface?
Plastic Duck: it’s insecure
Pixeleen Mistral: how insecure?
Plastic Duck: jcool was able to get full access
Pixeleen Mistral: yeah, I got a screen shot that implies that
Plastic Duck: and disable peoples accounts
Pixeleen Mistral: Hazim’s account for instance
Plastic Duck: yeah
Pixeleen Mistral: but Vivox has a game moderator can listen in feature
Pixeleen Mistral: and LL uses vivox for staff meetings
Plastic Duck: yeah he can likely listen in on whatever
Pixeleen Mistral: any idea how jcool got in?
Plastic Duck: from what I understand you could just force some admin bit
Plastic Duck: and the servers would happily comply
Plastic Duck: or it could have been related to the exploit that lets you run a rogue sim
Plastic Duck: jcool was abusing the shit out of that one
Plastic Duck: to download files from peoples computers heh
 

All of this raises further questions about why Fractured Crystal has not been banned from Second Life – and how much longer the Lab will tolerate the Emerald gang. Fractured Crystal claimed responsiblity for the DDoS attack that led to Philip Linden warning players against the Emerald viewer last week, but perhaps he overheard something in a staff meeting that made him ban-proof.