[sldev] new login feature compromised in the windlight linux
client?
Robin Cornelius
robin.cornelius at gmail.com
Sat Dec 29 06:04:00 PST 2007
Meni Kaiousei wrote:
> I just saw this Jira issue reported by Birkoff Enoch:
> https://jira.secondlife.com/browse/VWR-4037
>
Has this been reported through the security process?
http://wiki.secondlife.com/wiki/Security_issues
I've CC'd security to make sure.
Although this looks like a simple mistake by whoever copied the
panel_login.xml file, its an unacceptable mistake and the person
responsible should NOT have done this. If they wanted a temporary page
they should have pointed at the english version or a other page on the
linden servers. Considering this web login was forced upon us as the
"solution" this is a grave situation.
It doesn't look like the owner of the reported domain has a spoof page
(yet) and infact its not accepting https connections, its just being
squatted upon. But there is now a real risk that if a spoof page
appeared anyone using the broken release would have a compromised account.
I think LL need to scan that domain now and if they see a spoof page get
an immediate take down.
Regards
Robin
More information about the SLDev
mailing list