Your2ndPlace

Earlier this morning, Virtual Stock Exchange (VSTEX) Public Relations Officer Samantha Goldflake announced that VSTEX had halted all companies on their exchange and asked users not to withdraw funds via their ATMs. Goldflake informed me that while she could not provide specifics, the situation was severe enough to warrant an open discussion with the CEOs of all SL exchanges.

Cocky Dagger of the International Stock Exchange (ISE) posted a similar announcement which he would later follow up with a quick summary of events that serves to explain both exchange's halts:

Here is a quick status update. Someone has figured out a very serious security exploit in SL and based on talks with Linden Labs it won't be acknowledged or fixed any time soon. We are not the only ones that have been affected and unfortunately others will be to. I'll write up the security exploit and supporting information later.

What this means for you is ATM's will have to stay down. I need to set up an alt, put money into it, and conduct manual transactions through the alt. It will take me several days to figure this out and I will publish procedures on in-world L$ transactions. I apologize for this inconvenience but exchanging Lindens through scripts is not safe in SL at this time.

At roughly 11:15AM SLT, The Ancapistan Stock Exchange (ACE) notified its users that ATMs would be disabled as a precaution, but trading would be allowed to continue.

As of 1:45PM SLT, SLCAPEX has removed its ATMS until further notice as a precaution. Trading will go on as normal with obvious limitations imposed by the absence of a mechanism to deposit/withdraw funds.

Meanwhile, Cocky Dagger has provided a further update disclosing the nature of the problem. While I encourage readers to check the provided link, in sum, it appears that a hole in the LL Scripting language has provided for an exploit where individuals can 'dupe' an ATM into believing it has received money from a user, though it has not. Said user can then withdraw the funds the ATM believes it deposited, even though this deposit never occurred.

Dagger's post suggests that LL has not provided him with any customer support at this time. There is a suggestion that all ATMs are susceptible to this exploit and users would be wise to take whatever precautions necessary to ensure they are not victimized by this reported exploit.

There is no official confirmation that any amount of money has been stolen. This evening, Cocky Dagger was kind enough to speak with me. He informed me that he first noticed this issue when he found ISE's reserves had been depleted. Dagger has assured me that only the reserves were stolen and this will not affect normal operations. While the VSTEX has made no official statement, it would seem likely that they noticed this issue as a result of missing funds.

Dagger seemed taken aback by an apparent lack of assistance from LL regarding this suspected exploit, but noted that when he spoke with LL, they seemed "stressed." By the timetable of events, it would appear that VSTEX CEO Tobia Forcella contacted LL first, followed by Dagger. If this is indeed an issue of a flaw in the SL scripting language, this writer would suspect that LL's silence by means indicates apathy. Instead, I suspect they are assessing the damage in a most serious manner.

At 5:20AM SLT on July 26, VSTEX stated that trading would resume, though ATMs would remain disabled. As of the update (1:26PM SLT), the ATM functions of all exchanges remain disabled with ISE being the only exchange still observing a trading halt. Trading resumed on the ISE at 6PM SLT.

Cocky Dagger has also provided this update that may further pinpoint the current issue:

Without disclosing too much information I have been given information and evidence that there is an exploit that allows people to copy objects and the scripts associated with those objects. I had speculated on two different ways someone could have compromised the ATM's, one was being able to copy the script, and that appears to be the case.

Without disclosing too much information I have been given information and evidence that there is an exploit that allows people to copy objects and the scripts associated with those objects. I had speculated on two different ways someone could have compromised the ATM's, one was being able to copy the script, and that appears to be the case.

Apotheus Silverman of the SL Exchange shared this tidbit with me on July 25th (posted with Silverman's consent):

[16:19] Apotheus Silverman: Hi, yes I read about it earlier today. After reading the announcements I believe the problem is lack of security controls on the part of those exchanges. LSL source code in Second Life can't be considered secure so ATM programmers need to come up with a method of verifying that a script attempting to talk to their servers is legitimate. SL Exchange dealt with this same problem in 2005. A simple, non-technical solution prevents this exploit: require a human to approve any new ATM before it's allowed to function.

Silverman's statements suggest that this issue is longstanding. Though there is a manual remedy to the problem where duping ATMs are concerned, the much bigger question is how this supposed exploit might compromise the security of scripters and creators within the Second Life environment. Where this article is concerned, that question may not be answerable.

As the focus of my writing has primarily been the exchanges, I have requested the assistance of a writer with more Second Life experience to consider the larger issue emerging from this story.

Update 2

Since the last update, VSTEX and ACE have enabled their ATMS for customer use, with the former instituting a new policy that prohibits accounts less than ten-days old from ATM withdrawals (though manual withdrawals are available). ISE and SLCapex are allowing manual withdrawals only, though this will likely change in the coming weeks.

On July 30th, Cocky Dagger alluded to interaction between the ISE CEO and Linden Lab. Though his previous announcements bespoke of grave concern in response to Linden Lab's lack of involvement, the latest announcement went on to describe the company's undisclosed actions as proper. While it seems likely that this means Dagger was recompensed for monies stolen from his reserves, it is unknown how this fits into the larger picture.

Where the exchanges are concerned, this situation seems likely to resolve itself in the coming weeks, if not sooner.

In closing this article, I should call attention to something indirectly described, but not yet pointed out as a phenomena in its own right: With the exception of the WSE, all exchanges worked closely together to assess and remedy this situation. From a reporter/investor's perspective, it was quite a sight to behold. A pity it had to end .

For further insight on the exploit itself, please click here and here .

Technorati Tags: