by Pixeleen Mistral on 12/03/11 at 3:12 pm
Is Redzone playing guessing games with 2200 customers’ SL passwords?
The firestorm of criticism surrounding the zf Redzone Second Life security system may be only the beginning of zFire Xue’s troubles. A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.
As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the "Admin Overlord App" as "Possible SL PW(s)".
In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.
Rumors that zf Redzone has been used in attempts to collect Second Life passwords recently gained significant metaverse mindshare as a YouTube video began making the rounds describing a web site that can predict player passwords based on failed login attempts.
It is widely believed that the video is from zFire Xue to Mariana Swashbuckler. Avril Korman reports that zFire Xue is part of a SL gang known as the "Mars Syndicate" which includes a member named Mariana – apparently the same Mariana to whom the video is addressed.
How did the hactivists gain access to the Redzone security system’s secrets? According to several sources, the site fell to an SQL injection attack in which carefully crafted URLs cause the site to hand over information in the database that was not intended for public viewing.
This is the same sort of attack which was used to breach the HBGary Federal site recently. We can only conclude that role-play security experts in both real life and Second Life have some difficulty with the basics of keeping their own sites secure. Perhaps they should not store sensitive data?
Passwords compromises are not the only concern raised by the leak. It appears that zFire Xue can also manually add players to the Redzone copybotter list.
We can only hope the Mr. Xue does not abuse this power to persecute his critics.
The amount of avatar and IP address information contained in the Redzone database is impressive – but not in a good way. According those claiming responsibility for the leak, there are over 1.6 million unique IP addresses connected to various avatars in the database, and geo-location tools to identify real life location of Second Life players monitored by zf Redzone.
However, hactivists who have accessed the Redzone database have not published its contents so these claims will be hard to verify.
The hactivists behind the security breach went into significant detail about what they uncovered in this comment sent to the Herald early today:
screenshots having zfires password viewing pages and others. certain sensitive info is removed. please save and repost the images before they get remove.
“Admin Overlord Ap” – http://i.imgur.com/Vrfrt.png
“Account Data” – passwords were store using md5() hashed. a column is added later to keep the raw password to show to admins. after… the failedlogin table is added to store failed logins and show failed password choices to admins. probably use to steal SL accounts like in the video
other infos: there is raw failedlogin passwords store for 2200 users. there is raw user password store for most with an isellsl and redzone account.
ips are not store encrypted like the “frequently asked questions” say. there is 1670471 unique nonencrypted ips connected to avatars. there is geoip tables in the db for finding locations from ip….
maybe zfire plans to stalk people around the grid using his redzone things. This table is in the redzone db:
[tracking] index, detectedname, detecteduuid, location, date, ownername, owneruuid, objectname, objectuuid
4 other people in the server at once.. bad security.
i only want to confirm. not data or mess up his data or something stupid. i did not remove the db or mess it up. i cant also wont leak the contents. maybe other people already got it though, from looking at sql error and posts of password changed without them…
please remove tracking and failedlogin tables and pass2 column from users table. thank you.
please also read OWASP and fix page zfire. dont be a jerk!!
As of this writing, evidence that something is seriously amiss with the isellsl.cx Redzone site persist as SQL error messages are displayed on several pages. Attempts to contact zFire Xue for comment have been met with silence – it seems likely has is busy inspecting his database and applications for leaks and damage.
Given the level of access the hactivists seem to have to his system, the Herald suggests Mr. Xue takes our advice to his customers and change his passwords – then ask himself why he would continue to run Redzone.