AAPL Stock: 117.81 ( -0.22 )

Printed from

QuickTime flaw used to steal Linden dollars

updated 03:55 pm EST, Tue December 4, 2007

QT flaw can steal Lindens

A vulnerability in the QuickTime media player discovered late last month has been exploited to steal virtual currency in the game Second Life (called "Linden Dollars"), a significant problem since Linden Dollars can be converted into US dollars, with an exchange rate of about 250 Linden to one US dollar. The capability was discovered by Charlie Miller and Dino Dai Zovi, who said "Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited. Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked."

Miller and Dai Zovi have posted a video of the exploit taking place.

The QuickTime flaw involves a boundary error can be created when processing RTSP replies, simply by using an overly long "Content-Type" header. This in turn leads to a stack-based buffer overflow, which grants attackers the ability to launch arbitrary code. The vulnerability is only confirmed to work on QuickTime 7.3 at present, however, and requires victims to open a QTL file or visit a malicious website.

To guard against this exploit, the team recommends that Second Life users discontinue their use of video by clicking Edit->Preferences and then "Audio & Video" and making sure that the box next to "Play Streaming Video When Available" is unchecked. Users should, of course, upgrade their QuickTime when a patch is released.

Linden Labs has been notified of the problem.

by MacNN Staff




  1. tindrum

    Joined: Dec 1969



    just how real Second Life is! Real thieves stealing from people!

  1. robttwo

    Joined: Dec 1969



    And how, when, how many has this actually affected?

    I love all the publicity about this - when every minute, thousands of infected computers are sending out emails, spoofing sites, and attempting to steal data

    But please, tell us about the 2 people this happened to! (Who happen to work for a company that sells security services to online gaming providers. - How interesting that only these so-called security firms are the only ones "discovering" exploits, isn't it?)


  1. elroth

    Joined: Dec 1969



    Each theft is 12 Linden, which is 5 cents. Definitely a serious problem.

  1. sixcolors

    Joined: Dec 1969


    Go to jail

    wouldn't this be really easy to trace... I would trace it and call the FBI... fücker will go to jail!

  1. danviento

    Joined: Dec 1969



    I don't get it. Does this code only effect file's within Second Life's reach as a game, or can it spread throughout the system. Is this an OS specific issue, or just the game platform we're talking about here?

    And 5¢? That's a joke considering how many ppl this would have to affect. Ditto on the above comments about the slime at so-called "security" firms.

  1. Feathers

    Joined: Dec 1969


    bad headline...

    from the Yellow Bellies at MacNN. It should read that through an exploit of quicktime, Linden dollars MAY be diverted. Frankly, anybody who puts real bucks into fantasy land deserves a good technological buggering anyway.

  1. fubar_this

    Joined: Dec 1969


    Easy to exploit

    Just to clarify, Second Life is vulnerable not because of any flaw in the game software itself, but because it allows players to embed video files in game objects, with QuickTime as the application handling all video rendering. All you have to do is visit a portion of the game where QuickTime is used. It's pretty easy to exploit. Let's remember in 2006 the MySpace worm was caused by a QuickTime vulnerability that was also easily exploited, and that was the biggest worm of 2006.

    And frankly, anything that cheats people out of money, large or small, just by doing something they do every day, is a big deal.

    As for the security companies: No security company issued a press release about this. None. The people who discovered the vulnerability are the ones that alerted the press. It grabbed headlines because frankly Apple tries to tout its security in its advertising, and therefore an Apple vulnerability will get headlines.

    And MacNN: try being less of a click w****. They sensationalized the headline; it should say "QuickTime ALLOWS hackers to steal Linden dollars."

  1. UberFu

    Joined: Dec 1969


    quicktime exploit or not

    this is still on Second Life for their own lack of security_ Especially if they're going to have a legitimate exchange rate for imaginary money to US Dollars_

    What will be real funny is if the Liden Buck ends up out-valuing the US Dollar with tthe rate at which the Dolalr is dropping these days_

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented