Exploiting QuickTime flaws in 'TWMNBN'

[YoBuk]

I saw this article on a hacking conference that says money can be lifted off avatars using a streaming video flaw. Since EU also uses streaming video for ads the same hack could be used here. I'm turning off streaming video until MA or some tech people here on the forum look into.

Streaming Media vulnerability

Buk

[711]

Quote:

Originally Posted by YoBuk

I saw this article on a hacking conference that says money can be lifted off avatars using a streaming video flaw. Since EU also uses streaming video for ads the same hack could be used here. I'm turning off streaming video until MA or some tech people here on the forum look into.

Streaming Media vulnerability

Buk

As far as I know Entropia does not use any Quicktime technology, but rather Bink Video, so I don't think this is really a concern for EntropiaUniverse participants.

[Casay]

Quote:

Originally Posted by 711

As far as I know Entropia does not use any Quicktime technology, but rather Bink Video, so I don't think this is really a concern for EntropiaUniverse participants.

Thanks for clarifying for us and putting minds at ease so fast!

[YoBuk]

Thanks for the reply 711, I went to the Wiki link you gave preparing to feel all better, but the last sentence made me feel it would be even easier to hack then Quick time.

"The codec places emphasis on lower decoding requirements over other video codecs with specific optimizations for the different computer game consoles it supports"

[Dura Killer]

Videos are stored on servers in EU & then the videos gets streamed to the client in EU.
SL is completely different environment & as 711 said EU uses Bink.

[aridash]

even if media were streamed using Quicktime, i dont think this would have any direct impact since we dont have the user generated content in EU that SL does. You cant access someones Ped card as you might in SL to take a payment for a service.

Everyone should be far more concerned about the use of this Quicktime vulnerability for general virus/trojan/keyloggers. If you have Quicktime get patched asap and be carefull where quicktime movies come from before opening.

[711]

Quote:

Originally Posted by YoBuk

Thanks for the reply 711, I went to the Wiki link you gave preparing to feel all better, but the last sentence made me feel it would be even easier to hack then Quick time.

"The codec places emphasis on lower decoding requirements over other video codecs with specific optimizations for the different computer game consoles it supports"

Well, consider the other parts of the article:

Bink technology has been used in over 3600 games, and there have not been any reports of major issues related to hacking as the article you provided describes.

I would thus say your concerns about the potential of an EU avatar being hacked via this method pretty unlikely, especially considering that the database transactions are probably totally unrelated to avatar and video animations.

Quote:

Originally Posted by aridash

Everyone should be far more concerned about the use of this Quicktime vulnerability for general virus/trojan/keyloggers. If you have Quicktime get patched asap and be carefull where quicktime movies come from before opening.

Good point aridash. It is much more likely that someone gets hacked via some other vulnerability (e.g. this Quicktime alert), which could allow a trojan or keylogger to be installed, and ultimately potentially compromise one's EU username and passwords.

As always, security best practices should always be employed on any PC used for monetary or highly sensitive communications. Further, every participant in EU with an avatar worth more than say 1000 PED should invest in a Gold Card to increase the security of their account.

[YoBuk]

Thanks, its all good to know, the article really surprised me at how game code could be manipulated from a object and infect the avatar.

EU's has a more secure approach, PED cards are Own Avatar activated and Video Streams from their servers.