zf Redzone Security Breached – SL Passwords Compromised?

by Pixeleen Mistral on 12/03/11 at 3:12 pm

Is Redzone playing guessing games with 2200 customers’ SL passwords?

The firestorm of criticism surrounding the zf Redzone Second Life security system may be only the beginning of zFire Xue’s troubles. A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.

As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the "Admin Overlord App"  as "Possible SL PW(s)".

In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.

Redzone User Data includes possible SL passwords stored in cleartext

Rumors that zf Redzone has been used in attempts to collect Second Life passwords recently gained significant metaverse mindshare as a YouTube video began making the rounds describing a web site that can predict player passwords based on failed login attempts.

It is widely believed that the video is from zFire Xue to Mariana Swashbuckler. Avril Korman reports that zFire Xue is part of a SL gang known as the "Mars Syndicate" which includes a member named Mariana – apparently the same Mariana to whom the video is addressed.

How did the hactivists gain access to the Redzone security system’s secrets? According to several sources, the site fell to an SQL injection attack in which carefully crafted URLs cause the site to hand over information in the database that was not intended for public viewing.

This is the same sort of attack which was used to breach the HBGary Federal site recently. We can only conclude that role-play security experts in both real life and Second Life have some difficulty with the basics of keeping their own sites secure. Perhaps they should not store sensitive data?

Passwords compromises are not the only concern raised by the leak. It appears that zFire Xue can also manually add players to the Redzone copybotter list.

We can only hope the Mr. Xue does not abuse this power to persecute his critics.

Admin Overlord App allows manual addition of "copybotters" and Account stats lookup

The amount of avatar and IP address information contained in the Redzone database is impressive – but not in a good way.  According those claiming responsibility for the leak, there are over 1.6 million unique IP addresses connected to various avatars in the database, and geo-location tools to identify real life location of Second Life players monitored by zf Redzone.

However, hactivists who have accessed the Redzone database have not published its contents so these claims will be hard to verify.

zFire Xue protects his own "Possible SL PW" from view

The hactivists behind the security breach went into significant detail about what they uncovered in this comment sent to the Herald early today:

screenshots having zfires password viewing pages and others. certain sensitive info is removed. please save and repost the images before they get remove.

“Admin Overlord Ap” – http://i.imgur.com/Vrfrt.png

“Account Data” – passwords were store using md5() hashed. a column is added later to keep the raw password to show to admins. after… the failedlogin table is added to store failed logins and show failed password choices to admins. probably use to steal SL accounts like in the video

zfires “Account Data” page – http://i.imgur.com/iIesN.png
 random redzone owner “Account Data” page (to demonstrate that possible all sl password is show to admins) – http://i.imgur.com/Vnt21.png

other infos: there is raw failedlogin passwords store for 2200 users. there is raw user password store for most with an isellsl and redzone account.

ips are not store encrypted like the “frequently asked questions” say. there is 1670471 unique nonencrypted ips connected to avatars. there is geoip tables in the db for finding locations from ip….

maybe zfire plans to stalk people around the grid using his redzone things. This table is in the redzone db:

[tracking] index, detectedname, detecteduuid, location, date, ownername, owneruuid, objectname, objectuuid

4 other people in the server at once.. bad security.

i only want to confirm. not data or mess up his data or something stupid. i did not remove the db or mess it up. i cant also wont leak the contents. maybe other people already got it though, from looking at sql error and posts of password changed without them…

please remove tracking and failedlogin tables and pass2 column from users table. thank you.

please also read OWASP and fix page zfire. dont be a jerk!!

As of this writing, evidence that something is seriously amiss with the isellsl.cx Redzone site persist as SQL error messages are displayed on several pages. Attempts to contact zFire Xue for comment have been met with silence – it seems likely has is busy inspecting his database and applications for leaks and damage.

Given the level of access the hactivists seem to have to his system, the Herald suggests Mr. Xue takes our advice to his customers and change his passwords – then ask himself why he would continue to run Redzone.

a general error on the isellsl.cx MadScientist forums
idea organizer now disorganized
the neighborhood watch throws errors

110 Responses to “zf Redzone Security Breached – SL Passwords Compromised?”

  1. Eva Ryan

    Mar 12th, 2011


    See, this is what happens when you challenge someone to try to hack your UBER-Secure website… YOU GET HACKED!

    And really, RedZone customers should have known better than to trust someone that’s low enough to use exploits to monitor others.

    Sucks to be you all.

  2. Scylla Rhiadra

    Mar 12th, 2011

    “We can only hope the Mr. Xue does not abuse this power to persecute his critics.”

    There is evidence that he already has.

    Everything about this highlights the fact that Linden Lab MUST act to prevent this sort of system from operating in Second Life again: the original system was a violation of the ToS and of basic rights of privacy, and was (as is clear from the “Mariana” video) also a means for a frighteningly dangerous hack into SL accounts. At the same time, the vulnerability of the database demonstrates that it just is NOT wise to let amateur “security experts” engage in this kind of datascraping.

    Linden Lab needs to act NOW to re-establish the confidence of its customers in the system. This is no longer just about RedZone: it’s about the security vulnerabilities in SL itself that have made this kind of disaster possible.

  3. Avril Korman

    Mar 12th, 2011

    Aww… You got all the good stuff sent to you.

    No seriously, well done. This is GOLD. Thank you very much for posting all of this. Really all it does is corroborate what many of us have said all along.

    Granted I’m sure this will be written off as pshop wizardry and that there was no hack and whatever other lie he can think of to keep the bottom feeders believing, but for the rest of us?

    Yeah thank you for this. :)


  4. Orion

    Mar 12th, 2011

    Gee whiz, its Emerald all over again. -.-

  5. EvilJezzy

    Mar 12th, 2011

    They better shut this down, i’m serious and i will not show mercy this next time. Allot of people were spared the spam hammer and many sims were left alone. This is nothing more than a privacy invasion tool it does not stop our viewers and does not stop the educated griefer.
    Go ^#^& yourself zfire aka SPITFIRE CLARY I WIN!!!
    Evil Jezzy
    Now that redzone is toast i can quit griefering cause sl sucks and is boooring. Anyway my job is done now i can go have a life x thx GBYE.

  6. Potosi Abonwood

    Mar 12th, 2011

    Wow. Simply wow. Posted a link on my blog leading back to this article. The truth has been shown.

  7. Glenn Beck

    Mar 12th, 2011

    You know who else kept a database of their victims?


  8. deadzone

    Mar 12th, 2011

    I find this individuals actions (Zfire Xue) reprehensible, and I hope he is not only banned from SL (hardware ban) but prosecuted to the fullest extent of the law. He duped thousands out of money, for a system that never really worked much past his imagination and ability to use scare tactics to lure buyers in, and now to see he was using the system for far worse, to hack SL accounts, and possibly clean out someones bank account, its down right scary. This man goes beyond evil, please take every precaution if you have dealt with him in anyway and change your passwords on everything SL, LL related asap.

  9. Nidol

    Mar 12th, 2011

    I discovered a security exploit when fucking around with it one day. Never bothered to do anything with it though. I knew it would only be a matter of time before someone did, and I’m glad they decided to leak how malicious this guy really is.

  10. Everest

    Mar 12th, 2011

    i think, if you are using ppls private data, you should blacken out all stuff…as for that video: i have expressed my concerns about this video being possibly not zfire himself…noone can tell if it is at 100% as long as you dont know him personally. this is silly and typical again for the herald. not the first time you guys are shooting first and then are looking whom you’re aiming at. so not cool.
    i am no defender of that guy nor of that product. but there are limits in journalism you never should cross that you have crossed over and over again.
    just my 2 cents to it…

  11. Observer

    Mar 12th, 2011

    WTF does “sculpts with txt recorded” mean? His animator tool is spyware as well. What has this guy done? Installed chat and IM monitors all over SL?

    wow. just wow. I find it difficult to believe someone at LL is not part of this defending this blatant illegal activity. Hope I’m wrong.

  12. theGenius

    Mar 12th, 2011

    Isn’t it a felony in the US to record the specifics of incorrect credentials rather than just their occurrence?
    Regardless, to use these “incorrect passwords” against users is certainly a breech of security which could lead to felonious activity.
    Password hash data is one thing…plaintext just makes this guy look pathetic.

  13. beladona Memorial

    Mar 12th, 2011

    VERY interesting — especially in light of the fact that the website and markeplace had to be taken down because there was a problem with logons — I myself ended up logged on as two other individuals using my own name and password, and could see ALL of their account information

  14. Madddyyy Schnook

    Mar 12th, 2011

    Goodbye Mr Zfire. Close the door on the way out and leave your inventory at the door please.

  15. CarloAntonio Negulesco

    Mar 12th, 2011

    Seriously, who didn’t see this coming?

  16. Dee

    Mar 12th, 2011

    The big question is why is he still on the grid? Simple question silent answer.

  17. Little Lost Linden

    Mar 12th, 2011

    Holy Moly!!!

    Hopefully Rod Humble can save the day…

    otherwise it will be left to…….Hitler.

  18. hobo kelly

    Mar 12th, 2011

    so lemme get this straight… Red Zone has been hacked, and once inside, the hackers found the Second Life passwords for most of the Red Zone customers… heh :)

  19. EvilJezzy

    Mar 12th, 2011

    I want to thank all the reasonable people who brought this up in the jira and the brave haxor who exposed this jerk for what he is a megalomanical controlling freak. If he gets banned i will present soft linden with all my acounts and leave sl for good i swear. Neither side deserves this? Its about time the lab did something about them and us? The collateral damage of these sqables between griefers/copybots and evil manipulative spyware artists is too much for the community to handle.

  20. Tux

    Mar 12th, 2011

    I chuckled like I didn’t know it was comming – XD

  21. Liz

    Mar 13th, 2011

    Isn’t this sort of thing a crime? Why is this not being shut down?

  22. Urizenus Sklar

    Mar 13th, 2011

    Epic. Great work Pix.

  23. Miso Susanowa

    Mar 13th, 2011

    lol@ “hacktivists” erm, ya sure. It ain’t politics.

    You know, when I was young, we had to modem into school with an acoustic coupler, at 2400bps, HALF-duplex! And pay by the BIT! We didn’t have no fancy SQL-INJECTIONS! We didn’t have no effete WWW! No pansy LINKS! We had to ROLL OUR OWN TCP STACKS!!!

    Now these whippersnappers just whip up a GUI in Visual Basic to track the killer’s IPs! *snort*

    Now get off my eLawn!

  24. GothGirl

    Mar 13th, 2011

    @ Zfire Xue

    We are Anonymous We Legion, We do not Forgive, We Do Not Forget, We are the Face OF Chaos, and the Harbingers OF Judgement.


    You pissed Everyone off, and you got Served, & you failed, I got my account back, and followed LL’s instructions

    QuickWare ALTS is Gone.

    Skills Hak is next, His system will be gone too, as he violates users privacy, and breaks the Community Standards with that system too.

    P.S Zfire with over $200, Thousand USD you should make a Donation to Japan they really need it, and don’t forget to pay your Taxes LOL.

    I knew it was coming, and I wonder when Zfire’s name will be gone from Search when he refuses to do what LL asked so many times and remove the system and service from in world.

    I want all DATA my name, Key, IP Address anything else (REMOVED) From ALL SYSTEMS IN WORLD WITHOUT MY EXPRESS CONSENT, OR PURCHASE OF A PRODUCT FOR IT TO BE THERE, Refuse to listen, and piss off the wrong people, THIS IS WHAT YOU GET!

    All I have to say is Thank You to the Entire Community for taking Zfire down he had it coming after manually adding my info, Let alone working with the Copybotter and adding that info because of them.

  25. faroth

    Mar 13th, 2011

    So if the RedZone and similar tools are a violation of TOS 8.2 and Community Standards 4, let’s stop debate and act instead.

    There are several detectors on the marketplace. . get one and AR every owner of such a tool. They won’t learn otherwise.

    Second, after this made public – thanks a lot for it! – Linden should act and ban ZFire Xue from SL for life.

    Don’t forget to stop media bevore entering other sim’s …

  26. Nelson Jenkins

    Mar 13th, 2011

    @ Liz

    I have been told that the Lab is working out legal action against zFire. I can’t, for the life of me, figure out what they could prosecute under, but…

    … shit just got real. zFire, it’s time to hide your ass in that anti-copybot bunker you built in your backyard, ‘cuz the po-po is coming for your ass.

  27. [...] The Alphaville Herald – zf Redzone Security Breached – SL Passwords Compromised? [...]

  28. bikerprince

    Mar 13th, 2011

    okay sheeple.. you really have no idea how it works. yes the video is right. people tend to use the same password ingame as well as everywhere else. its simple to remember one password instead of fifty. but think about it for a moment.

    does the redzone system install software on your computer.
    does the redzone system do anything out of game except isell

    and would a criminal mastermind be stupid enough to do a fucking video of his criminal activities on YOUTUBE of all places (the biggest video share website in the whole world i might add) where just about anyone can find it and point “BAD MAN DOING BAD THING!” this whole greenzone vs redzone thing is fucking rediculous. its another service blackballing a service for whatever personal reasons behind it.

    same thing happened with copybot
    and before copybot casinos
    and before casinos sex clubs
    and before sex clubs stripper clubs
    and before that countless other instances where one service blackballed another for “haxorz”

    i know for a fact that most of you are going to jump on the bandwagon and say that this “jaycee” is zfire. heh. i wish.
    and quickly dismiss what ive said as ill informed gobledeegook. fine i have no problems with the world hating me simply because i dont let the sheep pull the wool over my eyes.

    go on and protest. go on and demand changes.

    but think about this for a brief moment.

    this is the secondtime “passwords” and account names have been “hacked” from linden labs servers. try to use your fucking brains

  29. Yep

    Mar 13th, 2011

    Go gettem Tiger! :P

  30. tank camino

    Mar 13th, 2011

    you know how i know this is forged????????? on the logs it shows merlin had a rredzon active b4 zfire did, does that seem fishy to any one else ? indeed z has made enimies look at the extent they fabricate things to discredit him

  31. tank camino

    Mar 13th, 2011

    and it says zfire owned the demo first im gonna point this out to every one i can being the creator wouldnt he own his realthing b4 the demo ? these are fony

  32. tank camino

    Mar 13th, 2011

    when forging evidence u gotta pay attention to the details ppl lol

  33. Amber

    Mar 13th, 2011

    tank, ever stop to think that zFire and Merlin are probably the same person, and that the Merlin account was used for testing purposes? Look closely at all the details you see in the screenshot.

  34. tank camino

    Mar 13th, 2011

    but that would throw the whole “look his own member” and his password is protected thing out the window, like i said the proof reeks of forgery

  35. Innula Zenovka

    Mar 14th, 2011

    If “First RedZone Owned” refers to the first sale to a particular avatar reported by the vendor or the marketplace magic box, then it’s very likely that someone other than zFire would be reported as the first owner. Certainly I only buy my own products from myself when I want to test something about the vendor. Otherwise, of course, I just rez them from my inventory.

    Similarly, if “got a RedZone demo” means “has used the demo vendor to get a free demo” then I’m not surprised zFire has tested his demo models by getting one from his vendor. I would.

  36. Sticky Pootawn

    Mar 14th, 2011

    Prefabricated BS

    That’s why nothing has been shut down


  37. [...] alphaville: A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, [...]

  38. Observer

    Mar 14th, 2011

    @bikerprince: Yes this Mike Prime dumbass is exactly stupid enough to make a movie laying claim. And LL is stupid enough to not press charges and thus be part of an international cybercrime operation.

  39. GothGirl

    Mar 14th, 2011

    Red Zone, & All systems working through media like such scanning anything need to be removed from Second Life, No IF’s & But’s about it.

    The Media is for two things only.

    1. Audio
    2. Video

    These systems violate multiple parts of the SL CS/TOS.
    1. 8.3 OF The Terms OF Service.

    (Data Mining Residents)

    2. Defaming Avatars/Individuals

    3. Harassment.

  40. swedishfox ghost

    Mar 14th, 2011

    if i see my account logged in, im going to assume its because of him and his shitty site, and when that day comes, im going to sue him ^^

  41. April Cordeaux

    Mar 14th, 2011

    Redzone is now back up on xstreet for sale.

  42. Nelson Jenkins

    Mar 14th, 2011

    @ April Cordeaux

    Bring on the bans! 3 strike rule…

  43. Gundel Gaukelei

    Mar 14th, 2011

    Suspected evil overlord got a german accent again … who would have guessed.

  44. Cathiee McMIllan

    Mar 14th, 2011

    Well the even interesting issue here is that Zfire has been possibly connected to a group known to harass other people in second life. The Knights of Mars (KoB).
    So if you look at it this way.
    Zfire, sends the KoB to do some griefing on places.
    The owners then see that “Redzone” claims to stop these kinda of griefing.
    Zfire gets you to spend 3,000 l for his product. Now this same product he himself can use it as a griefing tool. Since in theory according to his claim you can find out peoples ALTS so now, some one can go and stalk a person they don’t like. Also it has been shown you can manually enter a person as a copybot. So if Zfire and Redzone doesn’t like you they can add your name to the entire system to be banned.
    Also those that actually think this device protects against copybots look at his own stats on his website. .024% copybots. look at how many people he has said he has scanned. .024% you really think this product does what it claims it does? Read his own stats and learn. The device does nothing that it claims to do except a Bigger Ban list and a stalking tool for people to assume they know your alts by an IP address. People need to learn how IP address’s work.
    Also what happens to all those Husband, Wives playing together. or roomates. Ohhh they are all alts. But then Zfire has what 14 alts himself!!
    Seems people with so many alts tend to thing everyone is an alt.

  45. Keba Kraba

    Mar 14th, 2011

    I got my stuff from xstreet taken down because some idiot reported me for selling props from movies. I put back single item that has nothing to do with movies and earned myself nice 7 days suspension.
    He scams people for shitload of money, doing God knows what with his system, trashing both residents and Lindens, puts back XStreet items, and yet he never got even suspended…
    USA justice FTW!!!!1

  46. Bambam

    Mar 14th, 2011

    ROFL – hackers look at all the paranoid business owners passwords! Thinks the paranoid business owners need to be even more paranoid now. Looks like they just gave all of there stuff away for free without a copy bot being used.

    So bottom line… Store owners paid to have their password given out to third parties! LMAO!


  47. Yep

    Mar 14th, 2011

    When I think of all the people who bought redzone. I think of the old phrase ” there is a sucker born every minute.”

Leave a Reply