Second Life Hacking

by Lex Neva

Password retrieval systems are ubiquitous on the web.

Usually they consist of a link on the login page labeled "Forgot your password?".

Some sites will email your password to you in plain text, while others will quiz you with inane "security questions" that you answered when you signed up for the account.  By ensuring that you provide correct answers to the questions, the website can perfectly verify your identity to ensure that unauthorized parties are not trying to steal your account.  I hope your security sense is tingling.

In this article, I'll explore the insecurity of these systems through a case study.

All of the information I will provide is already well-known in the community and trivially accessible to motivated attackers.

Case Study: Second Life

Second Life (SL), available at secondlife.com and created by Linden Lab (LL), is a multi-user, interactive, open-ended, 3D virtual world in which users can create an incredible variety of content.

Users have no set goals, but instead use the world for socialization, art, 3D modeling, collaboration, and many other applications.  Access to the world is through a standalone client that runs natively on Windows, MacOS X, and Linux.  I've been an avid member of SL for over three and a half years and most of my time in-world is spent on scripting and building.

Recently, I got an email from LL that disturbed me.

It was in German, a language I don't speak, and it had the subject line "Mein Konto: Kennwortanfrage" which I think translates to "My Account: Password Assistance".

It was one of those emails that the service sends you when you tell them you forgot your password.  By clicking the included URL, you "prove" that you're the owner of your email address, and the system trusts that you should be allowed to reset your password.

Motivation for Attack

Many users will ignore such a spurious mail, but I immediately got concerned.

What did the email say?  Why was it in German?  Who wanted to access my account?  Was it random, or a targeted attack?

I knew one thing: an attacker would have plenty of motivation to take over my account.

Not only have I built up an identity in SL, I also conduct a fair amount of business in-world for real-world money.  I sell products in SL, and then I sell the in-world money I earn for U.S. dollars on the LindeX currency exchange (secondlife.com/currency).

Gaining access to my account would let an attacker steal my profits.  It would also allow them to use my credit card on file to buy more in-world currency, which they could then transfer to a friend's account and sell, effectively stealing money from me.  Finally, they could take my products and distribute the source code, potentially costing me a huge number of sales and doing irrevocable damage to my business.  This account represents my entire real-world income (from sales and contracting work), so I'm very serious about protecting its security.

Attack Vectors

The attacker has motivation, so what are the potential attack vectors?

The password retrieval process for an SL account (secure-web0.secondlife.com/account/request.php) involves several steps.

First, the user visits the website and tells it that they forgot their password.  The system emails a one-use URL with a randomly generated code to the email account on file and tells the user to check their email.  This email is sent in the language of the requester, regardless of the settings on the account in question.  The website also provides another option: "Email no longer active?  Click here!"

It scared the crap out of me during my tests to see that the "secret" URL was plainly presented to me in that link, allowing me to bypass the need to have access to my email account altogether.  Fortunately, this option is only available to IP addresses that have previously successfully logged into the account; others are told to call LL to reset their password.

The next page contains the security questions.

A user must successfully answer one of four questions in order to verify their identity.  The first question is the secret question the user answered when they created their account.  Second, the system provides the last names of four people the user has added to their "friends list" in SL, and asks them to provide the first names.  I'm told the third option is to provide the exact value of the last payment the user made to LL, but this option was not presented to me because my account is not charged monthly fees.  The final option is to provide the name of the region that the user has set their home point to.  Only one of these questions must be successfully answered to gain access to the account, and the user has three attempts before their IP is blocked from the password reset system.

How can an attacker bypass these security measures?

First, they must gain access to the page with the security questions.

To do this, they must either intercept the email or come from an IP previously associated with the account.  It might be possible to luck into my IP address if they're using the same Internet service provider as I am, or they could hop on my wireless if I was unwise enough to leave it unsecured.  Since my attacker is in Germany, neither of these is an option, so they'll have to intercept my email.  Impossible, right?

Chillingly, Dan Kaminsky just showed us how an attacker can intercept emails using his DNS cache poisoning vulnerability, and they could do it in a way that I would be unable to detect.  Read the slides: www.doxpara.com/?p=1204 [Slides]

I think that the correlation in time between Kaminsky's talk and the attack on my account is unlikely to be a coincidence.

With that out of the way, the attacker is now looking at the page with the security questions.

While it's often easy for an attacker to discover the answer to a secret question (a good essay about this is here: www.schneier.com/blog/archives/2005/02/the_curse_of_th.html), they'll skip right past that and the last billed amount and look at the friends list and the home location.

The friends list might be fairly easy to guess because user surnames, which are chosen from a long list, are fairly unique inside communities in SL.  An attacker could deduce who might be on my friends list by looking at the membership lists of the groups I'm in, looking in my profile for mentions of friends, and searching the web for logs of any conversations I might have been in.  The attacker has only three tries, but I found in my tests that they can reload the page as many times as they want without penalty until they get a list of names they know.  Barring that, they can try to deduce my home location.  For most users, this is going to be a region in which they own land, and it's easy to find this information using SL's search system.  In my case, my home location was trivially obvious when looking at my profile.

Mitigation

I've shown that it's completely feasible for someone to compromise my account.

How can I mitigate this threat?  I've changed my home location to a less guessable place, but, other than my own land, SL severely limits where I can set my home location.  This change is pretty inconvenient for me, but I feel I have no choice.  I could also remove everyone from my friends list, which would prevent that question from appearing on the questions page at all.  In SL, this would make an already unmanageable user interface even more hostile, so this is not a feasible mitigation strategy.

I opened a support ticket with LL to let them know how worried I was about those emails I got, and they took the obvious step of immediately blocking all access to my account (gee, thanks).

This had the side-effect of freezing my business.  I called immediately to have my account unblocked and, thankfully, the representative did this for me.  We had a pretty interesting talk about security, and I set up a recognition phrase that I must provide in future calls to verify my identity, assuming the other phone representatives pay attention to that.  I was chagrined to find that my representative knew of no way for me to disable the web-based password recovery system for my account.  They escalated my ticket to find out for sure, and they recommended I change my password.

I've changed my password, but I can't help but feel it's a worthless exercise.

A system is only as secure as its weakest measure, and I've received no assurances that LL's resolvers have been patched against Kaminsky's vulnerability.  What's especially interesting is that LL is, in general, a security-conscious company.  Logins via the SL client use SSL to avoid transmitting the user's password hash in the clear.

Why This System?

What's especially interesting is why this insecure password recovery system was first put in place.

It goes back to an incursion into LL's systems in 2006 (blog.secondlife.com/2006/09/08/urgent-security-announcement), in which a large number of password hashes were believed to have been stolen by attackers.

In response, LL quickly published details about the attack and invalidated all user passwords.

This was a sensible reaction, but it meant that thousands of users were thrust upon the mercies of the password recovery system.  Many users no longer had access to the email address associated with their account, and they all started getting mad very quickly.  LL created a special phone line with extra staff to handle password resets.  They also added new identity verification options to the web-based password recovery system, giving us the system that is still in use today.  LL was wise to identify and respond to the breach so quickly, but they solved the problem by severely diminishing the security of the system as a whole.

Final Thoughts

In some online forums, it's no big deal if an account gets compromised.

But a system like SL gives an attacker the motivation and means to cause irreparable financial damage.

Worse yet, I have no options to increase my security and prevent this attack.  If it is deemed necessary to implement an automated password recovery system, it is critically important to provide users with a method of disabling it.  If I am stupid enough to forget my password, I want to have to call and jump through some very big hoops to prove my identity.

I've been assured by the developers at Linden Lab that they are looking to provide this option soon but, until then, I'm nervous.

As of the time of publication, over three months after the events described above, LL has slightly changed their password reset system.  There is no longer an option to provide your home location to prove your identity.  The other three options are still available.  There still seems to be no way to disable the password reset system entirely for an account.