zf Redzone Security Breached – SL Passwords Compromised?
by Pixeleen Mistral on 12/03/11 at 3:12 pm
Is Redzone playing guessing games with 2200 customers’ SL passwords?
The firestorm of criticism surrounding the zf Redzone Second Life security system may be only the beginning of zFire Xue’s troubles. A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.
As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the "Admin Overlord App" as "Possible SL PW(s)".
In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.
Redzone User Data includes possible SL passwords stored in cleartext
Rumors that zf Redzone has been used in attempts to collect Second Life passwords recently gained significant metaverse mindshare as a YouTube video began making the rounds describing a web site that can predict player passwords based on failed login attempts.
It is widely believed that the video is from zFire Xue to Mariana Swashbuckler. Avril Korman reports that zFire Xue is part of a SL gang known as the "Mars Syndicate" which includes a member named Mariana – apparently the same Mariana to whom the video is addressed.
How did the hactivists gain access to the Redzone security system’s secrets? According to several sources, the site fell to an SQL injection attack in which carefully crafted URLs cause the site to hand over information in the database that was not intended for public viewing.
This is the same sort of attack which was used to breach the HBGary Federal site recently. We can only conclude that role-play security experts in both real life and Second Life have some difficulty with the basics of keeping their own sites secure. Perhaps they should not store sensitive data?
Passwords compromises are not the only concern raised by the leak. It appears that zFire Xue can also manually add players to the Redzone copybotter list.
We can only hope the Mr. Xue does not abuse this power to persecute his critics.
Admin Overlord App allows manual addition of "copybotters" and Account stats lookup
The amount of avatar and IP address information contained in the Redzone database is impressive – but not in a good way. According those claiming responsibility for the leak, there are over 1.6 million unique IP addresses connected to various avatars in the database, and geo-location tools to identify real life location of Second Life players monitored by zf Redzone.
However, hactivists who have accessed the Redzone database have not published its contents so these claims will be hard to verify.
zFire Xue protects his own "Possible SL PW" from view
The hactivists behind the security breach went into significant detail about what they uncovered in this comment sent to the Herald early today:
screenshots having zfires password viewing pages and others. certain sensitive info is removed. please save and repost the images before they get remove.
“Admin Overlord Ap” – http://i.imgur.com/Vrfrt.png
“Account Data” – passwords were store using md5() hashed. a column is added later to keep the raw password to show to admins. after… the failedlogin table is added to store failed logins and show failed password choices to admins. probably use to steal SL accounts like in the video
zfires “Account Data” page – http://i.imgur.com/iIesN.png random redzone owner “Account Data” page (to demonstrate that possible all sl password is show to admins) – http://i.imgur.com/Vnt21.png
other infos: there is raw failedlogin passwords store for 2200 users. there is raw user password store for most with an isellsl and redzone account.
ips are not store encrypted like the “frequently asked questions” say. there is 1670471 unique nonencrypted ips connected to avatars. there is geoip tables in the db for finding locations from ip….
maybe zfire plans to stalk people around the grid using his redzone things. This table is in the redzone db:
[tracking] index, detectedname, detecteduuid, location, date, ownername, owneruuid, objectname, objectuuid
4 other people in the server at once.. bad security.
i only want to confirm. not data or mess up his data or something stupid. i did not remove the db or mess it up. i cant also wont leak the contents. maybe other people already got it though, from looking at sql error and posts of password changed without them…
please remove tracking and failedlogin tables and pass2 column from users table. thank you.
please also read OWASP and fix page zfire. dont be a jerk!!
As of this writing, evidence that something is seriously amiss with the isellsl.cx Redzone site persist as SQL error messages are displayed on several pages. Attempts to contact zFire Xue for comment have been met with silence – it seems likely has is busy inspecting his database and applications for leaks and damage.
Given the level of access the hactivists seem to have to his system, the Herald suggests Mr. Xue takes our advice to his customers and change his passwords – then ask himself why he would continue to run Redzone.
Nelson Jenkins
Mar 27th, 2011
@ jaggedglass bumhole
Are you an idiot, or are you just too high off of the drugs the doc gave you from surgery for the removal of all that glass from your bumhole?
Popular SL News During March 2011 « Daniel Voyager's Blog
Mar 30th, 2011
[...] zf Redzone Security Breached – SL Passwords Compromised? – 12th [...]
assmasyer
Apr 5th, 2011
lol redzones done for
SL Population Crash Continues | The Alphaville Herald
Apr 11th, 2011
[...] taste, and not everyone wants to play stalk-and-ban-the-other-players, or hunt down 3rd party data miners tracking alt accounts. Of course there is always the challenge of running a virtual business for a [...]
jennifer
Aug 6th, 2012
HEY FUCK YOU IM A PERSON
Archie
Feb 18th, 2013
Sorry – who are Redzone?
any good journo would give the premise of a story background and explain the terminology forst.
1/10
Do it again after school.
(One assumes the author must be a spotty youth, no?)
hobo kelly
Feb 19th, 2013
Spotty youth? Kid you don’t know the half of it. If you did, you would know that Redzone is where the commies were living all along… Yeah kid, the commies… Don’t you remember them? Maybe you weren’t around back then. If you weren’t then you were lucky. Take my word for it. You might have gotten yourself communated or something worse… Anyway, they had these bottles, I mean the commies, they had these bottles of Vodka that when you drank enough from them you would start to hear Russian marching music while you drank!. For real kid. “RA RA DOS BEDONIA MY COMRADES BELARUS CHICKEN TRACKERS FOR ALL AND THAT MEANS FOR EVERYONE RA RA, DA DA…” they would sing kid. Catchy tune But dangerous… oh so dangerous kid. Before you knew it that song would drill itself all the way through your brain and the next thing you know you are making stuff and putting it out as a FREEBIE, oh dear god, and you might congregate and form groups dedicated to throwing spanners into LAND BARONS’ works, da comrade… ALL THOSE THINGS, and then even more things, and then the next thing you know you have all out ANARCHY and then you need Redzone Security where you try to have some kind of security amonst the Commies because everybody is now trying to fuck everybody else since All Your Bases Are Belong To Us now, if by Bases you really mean Asses, then you get the stinking commie idea behind the dogpile that was the codepile and when you add in all that Marching and Vodka all of a sudden you get the idea why Redzone failed… and PLEASE never EVER ask anybody about Green Zone… because the know the truth about Algore Resident and just how he handles the Spotty Youth, eh wot buddy?
aruba19
Apr 29th, 2013
@ Archie, not who, but what…. The article needs no background premise since anybody with a brainwave pattern knows what the RedZone controversy was and its resolution.
sober truth
Jul 28th, 2013
@ Archie – Redzone was a security system that used media streams to record and match IP addresses of avatars against a database maintained by the creator of the Redzone product. If an avatar’s IP matched another avatar’s IP who happened to be banned, the security system would eject and ban them from the parcel/sim. This was supposed to stop griefers and copybotters from simply registering new accounts to bypass bans from sims they had already been ejected from.
A small yet very vocal handful of upset members of a BDSM fetish site created a groundswell of support after being locked out of the Balcones sim which used Redzone to lock out 19 alts of the one person alone. This group set up camp at sluniverse forums and proceeded to drum up a storm of support against the security system Redzone. The resulting group “Greenzone” declared Redzone to be an invasion of privacy, even though they also admitted it to be inaccurate at detecting alts (since IPs can be shared by more than one person). They also claimed that Redzone was being used to witch hunt selected people and promptly set about their own witch hunt against the creator of the product and businesses/individuals who used it. This included but was not limited to disinformation, outright slander, vigilantism, boycotts of inworld businesses and extensive harrassment of Linden Lab employees who ultimately rewrote the TOS for second life no less than three times to acommodate them and ultimately banned Redzone’s creator without recompense while members of the Greenzone community continued to harass Redzone users for months afterwards..
That is more or less what Redzone was. Naturally there are people who will say otherwise, but only because they cannot own the situation as it was.
Altofme
Aug 22nd, 2013
Sober it went a bit further than that. I think it would have been a great tool had the information not been made available who’s alts where whos. Banning the alt would have sufficed without that information being made public. Use on your own sim, was acceptable, but I knew as soon as he made the hud to snoop out other alts of avatars on any sim, that was the beginning of the end. This lead to harassment and stalking of many folks that had created alts to get away from a bad past. It was a great idea, he just took it too far, and violated the privacy of the innocent.