Dean Takahashi of the San Jose Mercury News revealed that people can take advantage of a known QuickTime problem and become virtual pickpockets in Linden Lab's Second Life. Steve over at PlayNoEvil points out that "anything can that actually affect the integrity of the game or business application should be completely independent of these services to ensure that a breach in 'the other guy's stuff' doesn't affect the security of your business - especially casual applications and services that do not see themselves as having security functionality." Linden Labs confirmed the vulnerability, but the researchers who exploited the flaw were quick to note the issue can be resolved with a simple patch. Still - I think Steve's got a point:
In a video of a scene from Second Life, Miller showed how a player-created character, dubbed an "avatar," walks near the hacker's avatar. Nothing appears amiss, but then a message appears saying that the walking avatar has transferred 12 Linden dollars to the hacker's avatar. The oblivious walking avatar then says, "I got hacked."
The range of the hack is approximately 100 virtual feet. Nothing can stop the hacker from cashing out that money for real dollars through various exchanges associated with Second Life. Today, about 250 Linden dollars equals one U.S. dollar.
The hackers say the scene shows they can take complete control of any player's avatar and make that avatar surrender any money and other property in its account. That's a serious security breach because many of the 10.5 million registered members of Second Life are trying to make a living in the virtual world by selling goods and services.
I'm a little surprised more of the mainstream media hasn't picked up on their virtual darling's (minor? major?) problems, but the Second Life craze seems to have subsided somewhat.
Second Life pickpockets threaten real world cash potential [San Jose Mercury News via PlayNoEvil]