[sldev] new login feature compromised in the windlight linux client?

Robin Cornelius robin.cornelius at gmail.com
Sat Dec 29 06:04:00 PST 2007


Meni Kaiousei wrote:
> I just saw this Jira issue reported by Birkoff Enoch:
> https://jira.secondlife.com/browse/VWR-4037
>   

Has this been reported through the security process? 
http://wiki.secondlife.com/wiki/Security_issues

I've CC'd security to make sure.

Although this looks like a simple mistake by whoever copied the 
panel_login.xml file, its an unacceptable mistake and the person 
responsible should NOT have done this. If they wanted a temporary page 
they should have pointed at the english version or a other page on the 
linden servers. Considering this web login was forced upon us as the 
"solution" this is a grave situation.

It doesn't look like the owner of the reported domain has a spoof page 
(yet) and infact its not accepting https connections, its just being 
squatted upon. But there is now a real risk that if a spoof page 
appeared anyone using the broken release would have a compromised account.

I think LL need to scan that domain now and if they see a spoof page get 
an immediate take down.

Regards

Robin






More information about the SLDev mailing list