Thursday, 6 May 2010

Something Phishy About Jive!


Yesterday saw another example of LL's poor decision in adopting Clearspace's Jive software for their new forums/blogorums. The Jive powered blog software, an alternative to LL's now scrapped vBulletin boards, fell foul to a simple phishing javascript, which harvested hundreds of user names and passwords.

A presumed Russian user going under the account name of "Aels Cybertar" placed some Javascript in a private message (PM) and sent it to an, as yet, unknown amount of people. The message arrived in users' inboxes as a message from, Aels Cybertar titled, "Hi, remember me? ^.^" When opening the PM the phishy script asked for the users' SL account name and password to read the message as seen in the pic below.













While some might say that people should have noticed this it has to be taken into account what a borked piece of software Clearspace's Jive is. There has been an endless stream of criticism for LL's decision to adopt it and users have demanded a better system to work with. Recently though Jive was upgraded leading to some user satisfaction, but this revamp seemed to add just as many new bugs into the system as the new features that it added. Some people had their whole profiles deleted or were unable to even log in.

One result of this upgrade was to stop persistent log ins and thereby forcing people to log in every time they revisited the pages. I am sure that this forced increase of repeatedly having to log in with your account details and password suckered many people in to believing that Jive was just getting even more secure.

LL did though disable all PMs when made aware, but shortly after that a user with the account name "Nykon Brunsen" posted in a thread on General Discussions discussing the phishing incident the following message,

Nykon Brunsen wrote:


"Lindens... it was funny.. u have no limits to users in one PM =)

u scripted sending via ID, not name... That you have made the only thingcorrectly - have disabled PM. Here that I have received. Enjoy. PS. from russia with love^.^"

There then followed an 18 page table listing IP addresses, browsers used, account names and passwords of all those that he had captured through the phish. Whether it was the total amount or a small sample we do not know. I have reprinted an edited and extracted version below with IPs and passwords removed. Although LL say they have reset the passwords of all users who were sent the PM, whether they have opened the PM or not, some people are already saying that this is not the case.

The Flogs remain up today although all functionality/html has been disabled so it would seem the Flogs are still not secure to use. This is a big egg on their face moment for LL and Clearspace as it effectively shows that all of LL's security procedures were bypassed by one simple phishing exercise. Not only that, but it was conducted on one of their own sites over which they have received much criticism for their use of Clearspace's Jive software. The phishing ex
ercise for the moment seems to have been done for non-malicious purposes so as to show LL how open their system was and how lacking Jive was in protecting them. So far I've not heard of any user reporting missing inventory or money. The posting of users' account names and passwords on a public forum though can only be considered ill thought and criminally negligent.

Below is a shortened list of users who were caught. There were 18 pages of names and passwords and I include only 2 extracted pages here with IPs and passwords deleted as an example. I had to chuckle at one of the users who was caught and who had used a really weak password. Last week they were boasting in a forum of how, with their long, long experience in IT and installing and maintaining big corporate networks, that they could run LL's data centres and that they would have avoided last week's outage. Good to see that such superheroes can get phished and don't know how to set a strong password. I hear too that Prokofy too was hooked by the phish, she'll be relieved to know that her details didn't appear on the list that I have.

Edit: Prok has a nice first person report of it here.

If your name appears here then I would advise you to change your password if not already reset by LL.

























5 comments:

  1. Seems like another wtg! for SL, all profit and no thought. They got told it was shit Im glad they found out the hard way.

    ReplyDelete
  2. this reely sucked. i had an alts password reset and couldnt remeber for the life of me the names of friends i had to complete for the security question. had to go in on my main and search names and take a probale guess.

    reely fucking sucky, thx LL

    ps: Got them in the end :)

    ReplyDelete
  3. You wait and see, the Lindens will just slap a plaster on and say everything is ok. people will tell them it's still borked and they will pay no attention till the next time something happens.

    It's the new Tao of Linden, "Screw you people unless the lab is losing money!"

    ReplyDelete
  4. I looked allover the ll blogs and I cant find that user you mentioned or his post anywhere?????????

    the Nykon Brunsen dude?????????

    ReplyDelete
  5. @ Anonymous

    Sorry anon, I should have said in my post that the blog mods moved in and removed his post, which was surprising given their usual snail's pace reaction to stuff on the blogs.

    Luckily I left the page on one tab and revisited later on another tab and saw that it had been deleted; so I had a nice screendump available. :-)

    It was in this thread I believe http://blogs.secondlife.com/thread/20957?tstart=30

    ReplyDelete