zf Redzone Security Breached – SL Passwords Compromised?
by Pixeleen Mistral on 12/03/11 at 3:12 pm
Is Redzone playing guessing games with 2200 customers’ SL passwords?
The firestorm of criticism surrounding the zf Redzone Second Life security system may be only the beginning of zFire Xue’s troubles. A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.
As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the "Admin Overlord App" as "Possible SL PW(s)".
In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.
Redzone User Data includes possible SL passwords stored in cleartext
Rumors that zf Redzone has been used in attempts to collect Second Life passwords recently gained significant metaverse mindshare as a YouTube video began making the rounds describing a web site that can predict player passwords based on failed login attempts.
It is widely believed that the video is from zFire Xue to Mariana Swashbuckler. Avril Korman reports that zFire Xue is part of a SL gang known as the "Mars Syndicate" which includes a member named Mariana – apparently the same Mariana to whom the video is addressed.
How did the hactivists gain access to the Redzone security system’s secrets? According to several sources, the site fell to an SQL injection attack in which carefully crafted URLs cause the site to hand over information in the database that was not intended for public viewing.
This is the same sort of attack which was used to breach the HBGary Federal site recently. We can only conclude that role-play security experts in both real life and Second Life have some difficulty with the basics of keeping their own sites secure. Perhaps they should not store sensitive data?
Passwords compromises are not the only concern raised by the leak. It appears that zFire Xue can also manually add players to the Redzone copybotter list.
We can only hope the Mr. Xue does not abuse this power to persecute his critics.
Admin Overlord App allows manual addition of "copybotters" and Account stats lookup
The amount of avatar and IP address information contained in the Redzone database is impressive – but not in a good way. According those claiming responsibility for the leak, there are over 1.6 million unique IP addresses connected to various avatars in the database, and geo-location tools to identify real life location of Second Life players monitored by zf Redzone.
However, hactivists who have accessed the Redzone database have not published its contents so these claims will be hard to verify.
zFire Xue protects his own "Possible SL PW" from view
The hactivists behind the security breach went into significant detail about what they uncovered in this comment sent to the Herald early today:
screenshots having zfires password viewing pages and others. certain sensitive info is removed. please save and repost the images before they get remove.
“Admin Overlord Ap” – http://i.imgur.com/Vrfrt.png
“Account Data” – passwords were store using md5() hashed. a column is added later to keep the raw password to show to admins. after… the failedlogin table is added to store failed logins and show failed password choices to admins. probably use to steal SL accounts like in the video
zfires “Account Data” page – http://i.imgur.com/iIesN.png random redzone owner “Account Data” page (to demonstrate that possible all sl password is show to admins) – http://i.imgur.com/Vnt21.png
other infos: there is raw failedlogin passwords store for 2200 users. there is raw user password store for most with an isellsl and redzone account.
ips are not store encrypted like the “frequently asked questions” say. there is 1670471 unique nonencrypted ips connected to avatars. there is geoip tables in the db for finding locations from ip….
maybe zfire plans to stalk people around the grid using his redzone things. This table is in the redzone db:
[tracking] index, detectedname, detecteduuid, location, date, ownername, owneruuid, objectname, objectuuid
4 other people in the server at once.. bad security.
i only want to confirm. not data or mess up his data or something stupid. i did not remove the db or mess it up. i cant also wont leak the contents. maybe other people already got it though, from looking at sql error and posts of password changed without them…
please remove tracking and failedlogin tables and pass2 column from users table. thank you.
please also read OWASP and fix page zfire. dont be a jerk!!
As of this writing, evidence that something is seriously amiss with the isellsl.cx Redzone site persist as SQL error messages are displayed on several pages. Attempts to contact zFire Xue for comment have been met with silence – it seems likely has is busy inspecting his database and applications for leaks and damage.
Given the level of access the hactivists seem to have to his system, the Herald suggests Mr. Xue takes our advice to his customers and change his passwords – then ask himself why he would continue to run Redzone.
Eva Ryan
Mar 12th, 2011
Oooops.
See, this is what happens when you challenge someone to try to hack your UBER-Secure website… YOU GET HACKED!
And really, RedZone customers should have known better than to trust someone that’s low enough to use exploits to monitor others.
Sucks to be you all.
Scylla Rhiadra
Mar 12th, 2011
“We can only hope the Mr. Xue does not abuse this power to persecute his critics.”
There is evidence that he already has.
Everything about this highlights the fact that Linden Lab MUST act to prevent this sort of system from operating in Second Life again: the original system was a violation of the ToS and of basic rights of privacy, and was (as is clear from the “Mariana” video) also a means for a frighteningly dangerous hack into SL accounts. At the same time, the vulnerability of the database demonstrates that it just is NOT wise to let amateur “security experts” engage in this kind of datascraping.
Linden Lab needs to act NOW to re-establish the confidence of its customers in the system. This is no longer just about RedZone: it’s about the security vulnerabilities in SL itself that have made this kind of disaster possible.
Avril Korman
Mar 12th, 2011
Aww… You got all the good stuff sent to you.
No seriously, well done. This is GOLD. Thank you very much for posting all of this. Really all it does is corroborate what many of us have said all along.
Granted I’m sure this will be written off as pshop wizardry and that there was no hack and whatever other lie he can think of to keep the bottom feeders believing, but for the rest of us?
Yeah thank you for this.
-AK
Orion
Mar 12th, 2011
Gee whiz, its Emerald all over again. -.-
EvilJezzy
Mar 12th, 2011
They better shut this down, i’m serious and i will not show mercy this next time. Allot of people were spared the spam hammer and many sims were left alone. This is nothing more than a privacy invasion tool it does not stop our viewers and does not stop the educated griefer.
Go ^#^& yourself zfire aka SPITFIRE CLARY I WIN!!!
Evil Jezzy
Now that redzone is toast i can quit griefering cause sl sucks and is boooring. Anyway my job is done now i can go have a life x thx GBYE.
Potosi Abonwood
Mar 12th, 2011
Wow. Simply wow. Posted a link on my blog leading back to this article. The truth has been shown.
Glenn Beck
Mar 12th, 2011
You know who else kept a database of their victims?
…Hitler.
deadzone
Mar 12th, 2011
I find this individuals actions (Zfire Xue) reprehensible, and I hope he is not only banned from SL (hardware ban) but prosecuted to the fullest extent of the law. He duped thousands out of money, for a system that never really worked much past his imagination and ability to use scare tactics to lure buyers in, and now to see he was using the system for far worse, to hack SL accounts, and possibly clean out someones bank account, its down right scary. This man goes beyond evil, please take every precaution if you have dealt with him in anyway and change your passwords on everything SL, LL related asap.
Nidol
Mar 12th, 2011
I discovered a security exploit when fucking around with it one day. Never bothered to do anything with it though. I knew it would only be a matter of time before someone did, and I’m glad they decided to leak how malicious this guy really is.
Everest
Mar 12th, 2011
i think, if you are using ppls private data, you should blacken out all stuff…as for that video: i have expressed my concerns about this video being possibly not zfire himself…noone can tell if it is at 100% as long as you dont know him personally. this is silly and typical again for the herald. not the first time you guys are shooting first and then are looking whom you’re aiming at. so not cool.
i am no defender of that guy nor of that product. but there are limits in journalism you never should cross that you have crossed over and over again.
just my 2 cents to it…
Observer
Mar 12th, 2011
WTF does “sculpts with txt recorded” mean? His animator tool is spyware as well. What has this guy done? Installed chat and IM monitors all over SL?
wow. just wow. I find it difficult to believe someone at LL is not part of this defending this blatant illegal activity. Hope I’m wrong.
theGenius
Mar 12th, 2011
Isn’t it a felony in the US to record the specifics of incorrect credentials rather than just their occurrence?
Regardless, to use these “incorrect passwords” against users is certainly a breech of security which could lead to felonious activity.
Password hash data is one thing…plaintext just makes this guy look pathetic.
beladona Memorial
Mar 12th, 2011
VERY interesting — especially in light of the fact that the website and markeplace had to be taken down because there was a problem with logons — I myself ended up logged on as two other individuals using my own name and password, and could see ALL of their account information
Madddyyy Schnook
Mar 12th, 2011
Goodbye Mr Zfire. Close the door on the way out and leave your inventory at the door please.
CarloAntonio Negulesco
Mar 12th, 2011
Seriously, who didn’t see this coming?
Dee
Mar 12th, 2011
The big question is why is he still on the grid? Simple question silent answer.
Little Lost Linden
Mar 12th, 2011
Holy Moly!!!
Hopefully Rod Humble can save the day…
otherwise it will be left to…….Hitler.
hobo kelly
Mar 12th, 2011
so lemme get this straight… Red Zone has been hacked, and once inside, the hackers found the Second Life passwords for most of the Red Zone customers… heh
EvilJezzy
Mar 12th, 2011
I want to thank all the reasonable people who brought this up in the jira and the brave haxor who exposed this jerk for what he is a megalomanical controlling freak. If he gets banned i will present soft linden with all my acounts and leave sl for good i swear. Neither side deserves this? Its about time the lab did something about them and us? The collateral damage of these sqables between griefers/copybots and evil manipulative spyware artists is too much for the community to handle.
Tux
Mar 12th, 2011
I chuckled like I didn’t know it was comming – XD
Liz
Mar 13th, 2011
Isn’t this sort of thing a crime? Why is this not being shut down?
Urizenus Sklar
Mar 13th, 2011
Epic. Great work Pix.
Miso Susanowa
Mar 13th, 2011
lol@ “hacktivists” erm, ya sure. It ain’t politics.
You know, when I was young, we had to modem into school with an acoustic coupler, at 2400bps, HALF-duplex! And pay by the BIT! We didn’t have no fancy SQL-INJECTIONS! We didn’t have no effete WWW! No pansy LINKS! We had to ROLL OUR OWN TCP STACKS!!!
Now these whippersnappers just whip up a GUI in Visual Basic to track the killer’s IPs! *snort*
Now get off my eLawn!
GothGirl
Mar 13th, 2011
@ Zfire Xue
We are Anonymous We Legion, We do not Forgive, We Do Not Forget, We are the Face OF Chaos, and the Harbingers OF Judgement.
http://www.youtube.com/watch?v=uZ1qi9gz7UU
You pissed Everyone off, and you got Served, & you failed, I got my account back, and followed LL’s instructions
QuickWare ALTS is Gone.
Skills Hak is next, His system will be gone too, as he violates users privacy, and breaks the Community Standards with that system too.
P.S Zfire with over $200, Thousand USD you should make a Donation to Japan they really need it, and don’t forget to pay your Taxes LOL.
I knew it was coming, and I wonder when Zfire’s name will be gone from Search when he refuses to do what LL asked so many times and remove the system and service from in world.
I want all DATA my name, Key, IP Address anything else (REMOVED) From ALL SYSTEMS IN WORLD WITHOUT MY EXPRESS CONSENT, OR PURCHASE OF A PRODUCT FOR IT TO BE THERE, Refuse to listen, and piss off the wrong people, THIS IS WHAT YOU GET!
All I have to say is Thank You to the Entire Community for taking Zfire down he had it coming after manually adding my info, Let alone working with the Copybotter and adding that info because of them.
faroth
Mar 13th, 2011
So if the RedZone and similar tools are a violation of TOS 8.2 and Community Standards 4, let’s stop debate and act instead.
There are several detectors on the marketplace. . get one and AR every owner of such a tool. They won’t learn otherwise.
Second, after this made public – thanks a lot for it! – Linden should act and ban ZFire Xue from SL for life.
Don’t forget to stop media bevore entering other sim’s …
Nelson Jenkins
Mar 13th, 2011
@ Liz
I have been told that the Lab is working out legal action against zFire. I can’t, for the life of me, figure out what they could prosecute under, but…
… shit just got real. zFire, it’s time to hide your ass in that anti-copybot bunker you built in your backyard, ‘cuz the po-po is coming for your ass.
Privacy War in SL *updated 3/13* « Acoustic Alchemy in Second Life
Mar 13th, 2011
[...] The Alphaville Herald – zf Redzone Security Breached – SL Passwords Compromised? [...]
bikerprince
Mar 13th, 2011
okay sheeple.. you really have no idea how it works. yes the video is right. people tend to use the same password ingame as well as everywhere else. its simple to remember one password instead of fifty. but think about it for a moment.
does the redzone system install software on your computer.
does the redzone system do anything out of game except isell
and would a criminal mastermind be stupid enough to do a fucking video of his criminal activities on YOUTUBE of all places (the biggest video share website in the whole world i might add) where just about anyone can find it and point “BAD MAN DOING BAD THING!” this whole greenzone vs redzone thing is fucking rediculous. its another service blackballing a service for whatever personal reasons behind it.
same thing happened with copybot
and before copybot casinos
and before casinos sex clubs
and before sex clubs stripper clubs
and before that countless other instances where one service blackballed another for “haxorz”
i know for a fact that most of you are going to jump on the bandwagon and say that this “jaycee” is zfire. heh. i wish.
and quickly dismiss what ive said as ill informed gobledeegook. fine i have no problems with the world hating me simply because i dont let the sheep pull the wool over my eyes.
go on and protest. go on and demand changes.
but think about this for a brief moment.
this is the secondtime “passwords” and account names have been “hacked” from linden labs servers. try to use your fucking brains
lolol
Mar 13th, 2011
http://www.youtube.com/watch?v=T845CzkPgbo&feature=player_embedded
Yep
Mar 13th, 2011
Go gettem Tiger!
tank camino
Mar 13th, 2011
you know how i know this is forged????????? on the logs it shows merlin had a rredzon active b4 zfire did, does that seem fishy to any one else ? indeed z has made enimies look at the extent they fabricate things to discredit him
tank camino
Mar 13th, 2011
and it says zfire owned the demo first im gonna point this out to every one i can being the creator wouldnt he own his realthing b4 the demo ? these are fony
tank camino
Mar 13th, 2011
when forging evidence u gotta pay attention to the details ppl lol
Amber
Mar 13th, 2011
tank, ever stop to think that zFire and Merlin are probably the same person, and that the Merlin account was used for testing purposes? Look closely at all the details you see in the screenshot.
tank camino
Mar 13th, 2011
but that would throw the whole “look his own member” and his password is protected thing out the window, like i said the proof reeks of forgery
Innula Zenovka
Mar 14th, 2011
If “First RedZone Owned” refers to the first sale to a particular avatar reported by the vendor or the marketplace magic box, then it’s very likely that someone other than zFire would be reported as the first owner. Certainly I only buy my own products from myself when I want to test something about the vendor. Otherwise, of course, I just rez them from my inventory.
Similarly, if “got a RedZone demo” means “has used the demo vendor to get a free demo” then I’m not surprised zFire has tested his demo models by getting one from his vendor. I would.
Sticky Pootawn
Mar 14th, 2011
Prefabricated BS
That’s why nothing has been shut down
False
zf Redzone User Passwords Hacked « Herk's Lab
Mar 14th, 2011
[...] alphaville: A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, [...]
Observer
Mar 14th, 2011
@bikerprince: Yes this Mike Prime dumbass is exactly stupid enough to make a movie laying claim. And LL is stupid enough to not press charges and thus be part of an international cybercrime operation.
GothGirl
Mar 14th, 2011
Red Zone, & All systems working through media like such scanning anything need to be removed from Second Life, No IF’s & But’s about it.
The Media is for two things only.
1. Audio
2. Video
These systems violate multiple parts of the SL CS/TOS.
1. 8.3 OF The Terms OF Service.
(Data Mining Residents)
2. Defaming Avatars/Individuals
3. Harassment.
swedishfox ghost
Mar 14th, 2011
if i see my account logged in, im going to assume its because of him and his shitty site, and when that day comes, im going to sue him ^^
April Cordeaux
Mar 14th, 2011
Redzone is now back up on xstreet for sale.
Nelson Jenkins
Mar 14th, 2011
@ April Cordeaux
Bring on the bans! 3 strike rule…
Gundel Gaukelei
Mar 14th, 2011
Suspected evil overlord got a german accent again … who would have guessed.
Cathiee McMIllan
Mar 14th, 2011
Well the even interesting issue here is that Zfire has been possibly connected to a group known to harass other people in second life. The Knights of Mars (KoB).
So if you look at it this way.
Zfire, sends the KoB to do some griefing on places.
The owners then see that “Redzone” claims to stop these kinda of griefing.
Zfire gets you to spend 3,000 l for his product. Now this same product he himself can use it as a griefing tool. Since in theory according to his claim you can find out peoples ALTS so now, some one can go and stalk a person they don’t like. Also it has been shown you can manually enter a person as a copybot. So if Zfire and Redzone doesn’t like you they can add your name to the entire system to be banned.
Also those that actually think this device protects against copybots look at his own stats on his website. .024% copybots. look at how many people he has said he has scanned. .024% you really think this product does what it claims it does? Read his own stats and learn. The device does nothing that it claims to do except a Bigger Ban list and a stalking tool for people to assume they know your alts by an IP address. People need to learn how IP address’s work.
Also what happens to all those Husband, Wives playing together. or roomates. Ohhh they are all alts. But then Zfire has what 14 alts himself!!
Seems people with so many alts tend to thing everyone is an alt.
Keba Kraba
Mar 14th, 2011
Heh…
I got my stuff from xstreet taken down because some idiot reported me for selling props from movies. I put back single item that has nothing to do with movies and earned myself nice 7 days suspension.
He scams people for shitload of money, doing God knows what with his system, trashing both residents and Lindens, puts back XStreet items, and yet he never got even suspended…
USA justice FTW!!!!1
lolol
Mar 14th, 2011
Scams?
http://law.justia.com/cases/federal/appellate-courts/F3/363/1028/531950/
Bambam
Mar 14th, 2011
ROFL – hackers look at all the paranoid business owners passwords! Thinks the paranoid business owners need to be even more paranoid now. Looks like they just gave all of there stuff away for free without a copy bot being used.
So bottom line… Store owners paid to have their password given out to third parties! LMAO!
OWNED!
Yep
Mar 14th, 2011
When I think of all the people who bought redzone. I think of the old phrase ” there is a sucker born every minute.”
lolol
Mar 14th, 2011
A fraud
http://query.nytimes.com/gst/fullpage.html?res=9407E5DC1F3DF930A3575BC0A9669C8B63&pagewanted=all