Was Vivox Chat p0wned by Emerald Developers?

by Pixeleen Mistral on 30/08/10 at 12:16 pm

LindenWorld staff meetings an open book to ban-proof Fractured Crystal, Lonely Bluebird?

Did two Emerald developers – Fractured Crystal and Lonely Bluebird – taunt Emerald critic Hazim Gazov after using the Vivox voice chat admin portal disable Gazov’s Second Life voice? Were the rogue developers able to track Lab staff on private Linden-only islands? It appears so, if a screen capture provided to the Herald this weekend can be believed.

Over the last several months, a YouTube video and chatlogs have circulated, both of which strongly suggest both Fractured Crystal and Lonely Bluebird took the faction wars between the Emeralds and the Soviet Woodbury group to new levels after the Emerald’s site security was compromised and the data mining operation was revealed. This weekend, a source we will refer to as DeepYiff has provided the Herald with evidence the exploit that left Hazim Gazov speechless could also have compromised the security of all Vivox voice chat in Second Life.

While it is impossible to be absolutely certain that the screen captures DeepYiff provided are real, they appear to be the Vivox administration portal which can be used to mute, kick, or ban players from the voice service. The Vivox documentation also states that administrative users can listen in to chat channels without appearing to other users – something that may give pause to the Linden staff using Vivox chat for in-world meetings.  The screen capture below shows what is seems to be a Linden staff meeting in progress on the LindenWorld B private island.

Vivox channel manager
click image for full size view

According to Emerald critic Hazim Gazov, both Joe Linden and Soft Linden were aware that some sort of Vivox exploit had taken place after Mr. Gazov reported that his Vivox chat had been disabled. However it is unclear what – if any – action was taken other than to re-enable Mr. Gazov’s voicechat.

While the Vivox admin screen capture appears to be a bit dated – 1/3 of the Linden staff shown are no longer with the lab, presumably due to the lab’s recent cost cutting measures – it appears to be common knowledge in certain circles that chat has been badly compromised.

I asked Plastic Duck for comment last night, and while he was unsure of the exact method Fractured Crystal (jcool) used, Plastic Duck thought it likely that Fractured Crystal had gained control over the Vivox admin interface.

Pixeleen Mistral: what do you know about the VIvox admin interface?
Plastic Duck: it’s insecure
Pixeleen Mistral: how insecure?
Plastic Duck: jcool was able to get full access
Pixeleen Mistral: yeah, I got a screen shot that implies that
Plastic Duck: and disable peoples accounts
Pixeleen Mistral: Hazim’s account for instance
Plastic Duck: yeah
Pixeleen Mistral: but Vivox has a game moderator can listen in feature
Pixeleen Mistral: and LL uses vivox for staff meetings
Plastic Duck: yeah he can likely listen in on whatever
Pixeleen Mistral: any idea how jcool got in?
Plastic Duck: from what I understand you could just force some admin bit
Plastic Duck: and the servers would happily comply
Plastic Duck: or it could have been related to the exploit that lets you run a rogue sim
Plastic Duck: jcool was abusing the shit out of that one
Plastic Duck: to download files from peoples computers heh
 

All of this raises further questions about why Fractured Crystal has not been banned from Second Life – and how much longer the Lab will tolerate the Emerald gang. Fractured Crystal claimed responsiblity for the DDoS attack that led to Philip Linden warning players against the Emerald viewer last week, but perhaps he overheard something in a staff meeting that made him ban-proof.

109 Responses to “Was Vivox Chat p0wned by Emerald Developers?”

  1. Hazim Gazov

    Aug 30th, 2010

    Oh, I should note that they did end up getting voice re-enabled after about 3 days.

  2. Friend of all

    Aug 30th, 2010

    Ok Zidonuke, who cares if you can hack vivox too.

    Phox did it first.

  3. Imnotgoing Sideways

    Aug 30th, 2010

    I hacked Vivox from behind seven proxies. (^_^)y

  5. Friend of all

    Aug 30th, 2010

    Mind telling me why Fractured is on onyx and displaying image comments.

    http://www.exoload.com/810/Clipboard01.tga

  6. Friend of all

    Aug 30th, 2010

    1222 version of emerald was also affected by image comments if you look at the pic closely. Also look at the image comments on the radar.

    http://www.exoload.com/810/Clipboard01.tga

  7. Ann Otoole InSL

    Aug 30th, 2010

    Linden Lab denies this happened.

    http://dwellonit.taterunino.net/2010/08/30/linden-lab-denies-major-second-live-voice-breach/

  8. General Drama

    Aug 30th, 2010

    This just keeps getting better, Emerald is not just as bad as we thought, they are worse than we imagined. So, Philip, Woodbury sims plox?

  9. General Drama

    Aug 30th, 2010

    Geeze Ann, everybody knows Tateru is a PR flak for LL. She’s the Robert Gibbs of SL. The Bagdad Bob of Waterhead.

    Let me go see how the deck chair shuffling is going on…

  10. Zidonuke

    Aug 30th, 2010

    http://bhr.vivox.com/js/admmgr.js

    search for RECORD

    we can access the recording api.

  11. Friend of all

    Aug 30th, 2010

    @Ann Otoole

    Look at this pic
    http://img816.imageshack.us/img816/851/vivoxhacked1.png

    Tell me the vivox hack was a sham after seeing it.

  12. Friend of all

    Aug 30th, 2010

    LL denies everything happened.

  13. Zidonuke

    Aug 30th, 2010

    heres all the api2 php scripts
    http://zidonuke.pastebin.com/JLDAtq3C

    heres a bunch of js scripts noting the admin functions.
    http://bhr.vivox.com/js/chnmgr.js
    http://bhr.vivox.com/js/usrmgr.js

    all the admin cp functions and capabilities.

  14. Friend of all

    Aug 30th, 2010

    http://www.vivox.com/vivox_aup.html

  15. Friend of all

    Aug 30th, 2010

    There are the css scripts
    http://bhr.vivox.com/vivoxportal.css

  16. Friend of all

    Aug 30th, 2010

    http://pastebin.com/jjtd4jqM

    More Vivox links to reproduce the hacks.

  17. Ted

    Aug 30th, 2010

    Oh gee, the internet, p2p, irc, and any connection to another persons data is now deemed insecure.

    Wow. How security is put to light concerning any software that allows a connection to another individual. It’s jut never been heard of on the net before. Good for you.

    Fantastic and enlightening.

    Ted

  18. Techye

    Aug 30th, 2010

    Hopefully all this will show the parties involved, LL and ViVox that they need to SECURE the abilities better than they normally do. I’m one of the many though that don’t like to use Voice Chat in SL and as such I would think this is even more reason to not use that feature.

  19. Ann Otoole InSL

    Aug 30th, 2010

    lol vivox is the provider for voice in facebook. that’s a target rich environment. one would think they had the cash to pay for security people to make the calls on crap. so some of this seems incredulous.

  20. Friend of all

    Aug 30th, 2010

    @ann

    I think LL did a good job covering up onyx’s capabilities.

    And look where it got them.

    Everyone is hacking vivox.

  21. Yep

    Aug 30th, 2010

    And this happening by the emerald team is a surprise?

    What is next? I expect the emerald team has hacked into SL users accounts and has been data mining people RL data and credit card info. Oh of course another speech by the talking doll(Phillip Linden) about Linden Labs concern about their customers privacy and security. This of course while patting Fractured on the head.

    Pulls the string and listens to the garbled message .

    ” Yep, nothing new here.”

  23. Friend of all

    Aug 30th, 2010

    Skills owns emerald point. Who cares.
    http://img816.imageshack.us/img816/851/vivoxhacked1.png
    This is enough proof vivox was hacked.

    There are already ip stealing tools in sl using llparcelmediamanager.

    LL is stupid for not fixing it.

  24. marilyn murphy

    Aug 30th, 2010

    i am a definite outsider. i don’t understand a lot of what is being said here.

    it seems that a very small group of people with the strangest idea about what is fun, creep around on the net and try to invade others computers. the most shocking part of all this is, it doesnt even seem to involve money. they just are sort of doing it, with no real goal.

    it reminds me of when i was very young, and was with a group of boys on a wintry day, they started throwing snowballs at car windshields as they drove by. the joy and fun in it appeared to be the consternation they hoped to ilicit from the drivers. thats it, thats all it was.

    now if some of these guys actually used their abilities to create some new idea to improve computer processing or something, and that made them money, maybe this would all come to appear as what it is……. throwing snowballs at cars. then again, perhaps they arent as good as they think they are, and being on the c-team, all they can muster is….throwing snowballs at cars.

  25. Little Lost Linden

    Aug 30th, 2010

    Do you know who else hacked Vivox?

    …Hitler.

  26. Friend of all

    Aug 31st, 2010

    I did!

    JK, Several screenshots were passed out by Fractured,Phox, and Discrete Dreamscape.

  27. Karen Palen

    Aug 31st, 2010

    @marilyn murphy “it reminds me of when i was very young”

    I think you summed it up very well.

    Go play somewhere else children …

  28. Emerald Viewer Scandal Continues – Part 1 « Nalates' Things & Stuff Blog

    Aug 31st, 2010

    [...] team management seems to be. But, there is no question the Emerald viewer has its detractors. See: Was Vivox Chat p0wned by Emerald Developers? on Alphaville [...]

  30. Ajax Manatiso

    Aug 31st, 2010

    In reply to Hazim’s response to my previous comment — then this means this happened months and months ago. The article made it sound like a recent event. This is even more disturbing knowing that this has gone on for so long.

  31. observer

    Aug 31st, 2010

    @Ajax if you google vivox hacked kinggoon you might find a cached forum page from Kinggon’s forum in which the how-to was posted dated June 21st 2010 so all the copybotters knew how to do it.

  32. guess

    Aug 31st, 2010

    They forgot the “r’ in virwox

  33. Oh NO

    Aug 31st, 2010

    It is recent news hence the emerald icon at the bottom of the screen.

    But the hack has been going around for a long while now.

  35. Deadlycodec

    Aug 31st, 2010

    @Ann Otoole InSL
    “lol vivox is the provider for voice in facebook. that’s a target rich environment. one would think they had the cash to pay for security people to make the calls on crap. so some of this seems incredulous.”

    So? Facebook got hax’d with an SQL injection bug in 2008 or 2009, if I recall. Somebody with the inj3ct0r crew simply looked at the robots.txt file on a facebook subdomain and found some hidden content that contained an SQL injection vulnerability. I have found SQL injection bugs in major fortune 500 companies such as Cox Communications. I’ve seen other cases where an organizations employees use some externally hosted and owned web application, that application gets hacked, and the employees have reused their login credentials on THEIR company networks, allowing an attacker to quickly and quietly penetrate deep inside corporate networks. After all, where are the intrusions coming from? What’s being exploited? If they’re lucky, sysadmins see an intruder bounce in through a login portal with valid login credentials but they don’t know how they got them, or where they’ll be used next. Such are often the trickiest hacks to perform a forensic analysis on, since the information that is allowing them access is coming from a compromised 3rd party and nothing is being exploited.

    Oh, and Ann, I have a major bug in ID Software, yeah, the company that developed DOOM, right in their network. Wanna see it, first-hand? You know where to find me. Maybe you can get them to fix it, but they haven’t been listening to me and I’ve sent them like 3-4 separate communications about it. And I found serious bugs in Digital Globe, Inc. I could rattle off the names of thousands of websites and company networks, most of them still vulnerable. And I’m not talking about XSS or stupid information disclosure bugs. I’m talking weak login credentials, SQL injection, path traversal, file include, session management, shell injection, script code injection,etc.

    Anyways, my point is that it doesn’t matter how large an organization is, or how much money it has, there are still ALWAYS security issues just waiting to be uncovered. NASA has issues too. So does Lawrence Berkeley National Laboratory. And MIT.

    Check this out btw:
    http://logicdoctrine.blogspot.com/2010/07/jonathon-johnson-shows-us-how-gravest.html

  36. Jayd3n

    Aug 31st, 2010

    LOL I have told everyone many times. Skills Hak cannot be trusted, he developed CDS not to help creators, because they all have copybot viewers themselves, and have tested it, but to ban people who get in their way, and to make a bunch of money over $1000 USD + A month to help cover their tier costs, and refuse to hear anyones appeals or reply to them. On top of this which they claim is not true, Emerald Developers run it, and this could be a way how they are detecting peoples IP addresses through vivox, and logging alts and stuff.

    The only reason Linden Lab does not ban skills hak is because he owns like 5 estates, I personally say who gives a crap how much he owns, because he is only paying like $2000 USD a month if that, and he is destroying Second Life with the rest of Emerald. How about all the companies who use second life and vivox voice to call people, and people spying on their private convos and such. It is not good.

    While these guys are constantly allowed to step all over everyone, who controls them, because I am damn sure that the Emerald Devs/Skills have logged into a copybot viewer for testing purposes, but anyone else who has, and got cds banned for such, gee Skills Hak might as well own Second Life, and become everyones Master.

  37. Oh NO

    Aug 31st, 2010

    @jayd3n

    Vivox is has been destroyed by hackers.

    Skills is only one moron.
    We also need to get rid of ph0x.
    And get rid of red zone.

    I still think jay is still running sl.

    He only mentioned to have quit frac crystal.

  38. Larry Jenkins

    Sep 1st, 2010

    @ann from slu

    http://www.kinggoon.com and http://www.kinggoon.in is not suspended

  40. At0m0 Beerbaum

    Sep 1st, 2010

    @ deadly

    werent you dying of aids?

  41. Deadlycodec

    Sep 1st, 2010

    @At0m0 Beerbaum

    Am, actually. I’ve been under hospice care for a little over a month. Nothing has changed since 2008, cept’ I’ve been online less due to frequent 102+ degree fevers (several days a week), nausea, vomiting, and pain that is so bad that they have me taking Oxycontin several times a day along with hydrocodone for breakthrough pain. You could do to lose your childish and unrealistic Hollywood notions as to what happens and how a person is to behave when dying. Dipshit. Also, please insert my balls into your mouth without a condom. Kthxbai.

  42. Hazim Gazov

    Sep 1st, 2010

    @deadly

    Why would you need a condom for ballsucking? If anything, that warrants a dental dam.

  43. Deadlycodec

    Sep 1st, 2010

    @Hazim

    If anything? I got AIDS. You telling me you’d stick my balls in your mouth without any sort of protection? Don’t balls sometimes get shit on them? Bodily fluids such as urine and semen? Sores? How do you know my balls don’t have sores? Jesus Christ, Hazim, you gonna trust someone else’s balls?

  44. Friend of all

    Sep 1st, 2010

    @Noor Loam

    I read your blog.

    You wrote that the rumors are lies.
    That the emerald team did nothing wrong.

    Can you tell me why emerald dev admitted the rumors were true?

    For example: Fractured admitted to the DDOS.

  45. Hazim Gazov

    Sep 1st, 2010

    @Deadlycodec

    I know all too well the folly of trusting another man’s balls, but sometimes I like to take a gamble.

  46. Deadlycodec

    Sep 1st, 2010

    @Hazim Gazov

    Methinks I gambled a bit too much.

  47. Friend of all

    Sep 1st, 2010

    I love hazim’s work.

  48. Friend of all

    Sep 1st, 2010

    SL script on vivox that the lindens released.

    http://pastebin.com/cSFZMyW1

  49. Friend of all

    Sep 1st, 2010

    More breaking in vivox.
    http://i51.tinypic.com/28aj79z.png
    They used viv_set_acct.php?admin=300

    But emerald did it first. Laughs at the hackers after the exploit was open sourced.

  50. Friend of all

    Sep 1st, 2010

    They hacked osgrid’s vivox right after. They are retarded.
    http://pastebin.com/PUH4CjGN

    How to replicate the newest exploit
    http://pastebin.com/rKGyVLJ6
    http://www.bhr.vivox.com/api2/viv_acct.php?mode=update&admin=300

« Older Comments
Newer Comments »

Leave a Reply