Second Life grid protocol leaks avatar locations?

by Tateru Nino Oct 17th 2008 at 12:30PM

Filed under: Exploits, News items, Second Life

According to Dusan Writer, the Instant Messaging portion of the Second Life grid network protocols contains location information about every avatar who sends an IM to you. It's been known for some time that the fields designed to encapsulate that information were present (though only the estate information was available to the recipient via the Second Life viewer) but it has not been clear that the information about the location of the sender was actually filled in.

Apparently, it is -- and it isn't really that hard to get at, for anyone who can implement the protocol, use an existing library or modify and rebuild the viewer source code. This might be considered something of a faux pas, as a similar information leak a couple of years ago required considerable retooling of protocols to avoid anyone who wanted to know your business from ... well, knowing your business.

The earlier leak of location data was a little easier to exploit, however. In this case, at least, someone has to actually send you an IM (or a busy response) for the information to become available. Nevertheless, we're interested to see just how long this privacy flaw takes to fix -- the previous one was a known issue for quite some months before it was finally corrected.

Certainly last time, the privacy flaw was exploited quite maliciously over a long period. Is this an issue that you find to be of some significant concern? Or is it something you feel you can just walk off?

Are you a part of the most widely-known collaborative virtual environment or keeping a close eye on it? Massively's Second Life coverage keeps you in the loop.

Tags: dusan-writer, exploits, linden-lab, privacy, second-life

Related From Massively

Second Life’s Emerald client facing obsolescence
15 days ago
Linden Lab guns for service-based Second Life viewers
64 days ago
Second Life 2.0 goes live today
161 days ago

Reader Comments (Page 1 of 1)

Cincia Singh said on 1:56PM 10-17-2008

I don't do anything out on the grid that anyone would want to watch me do, so that's not a concern. And if anyone wants to "stalk" me, a click on the "mute" button solves their interference (not to mention filing an AR). But I am wondering what kind of exploits surfaced last time (to young on the grid to remember).

Chance Unknown said on 2:21PM 10-17-2008

Virtual presence is not related to physical presence. Turn off your computer.

Dusan Writer said on 2:35PM 10-17-2008

Cinica - muting someone does not close off the ability to track. The "exploit" means that anyone who opens an IM channel who had a recompiled viewer would be able, through opening that IM channel, to know your sim location and, it's believed (though not verified through testing) the coordinates on that sim.

So, muting and mapping are irrelevant to this. You can find anyone's location by opening an IM channel without saying anything (you OR them).

The sim location information has been tested in a recompiled viewer. Coordinate information has not been tested in a recompiled viewer however the code seems to allow that. (There were concerns with breaking the TOS so this wasn't done).

As far as filing an AR - well, I guess you'd have to have proof that someone was collecting location information. But how would you know?

Ari Blackthorne said on 3:13PM 10-17-2008

Tateru - I know you were here long enough to remember that everyone on the grid could be mapped LOL

I replied to Dusan Writer's article - I'm lazy, going to repeat my two-cents here:

This has always been the case, In fact, it used to be you could map anyone on the grid. Yes, anyone.
To be able to “turn off” mapping was a new viewer feature added about this time in 2006 if I remember correctly.

Back then, you had to actually turn it off as it defaulted to on (which made sense since it is what everyone was used to.)

Over time, we all simply became used to that ‘feature’. However, if you think of it, that information really does have to still be constantly transferred back and forth so it works instantly when you turn mapping ON.

Thus, mapping always happens. it’s not the design of the software to have the ability to turn it on and off. It always was on, so the on/off switch was added later.

What Linden Lab has done was to add a little checkbox that simply tells the map “don’t show this location" - even though your viewer already and always knows it’s there.

So, for those who complain about this feature (”flaw”) being an issue with poor software design… fair enough.

But the ability to turn mapping OFF is really just a patch to hide what is there, always there and really needs to be there - whether you are using it or not - just in case you turn it 'on'.

Think “Digital Liquid Paper”.

Garn said on 10:32AM 10-18-2008

so in essance Ari this is another instance of LL changing a feature without correcting the back end side of it. Kind of like their new Render Cost text and other floaters like that that throw all hover text into weird results

Dedric Mauriac said on 6:45PM 10-20-2008

I don't mind if people know where I am.

Breaking news Feed

Massively Features

Events Calendar

Name	Date
Clone Wars Adventures Launch	Sep 15, 2010
Final Fantasy XIV Launch	Sep 30, 2010
GDC Online	Oct 5-8, 2010
NY ComicCon	Oct 8-10, 2010
LEGO Universe Launch	Oct 26, 2010
DCUO Launch	Nov 2, 2010

Massively Staff

Name	Title
Shawn Schuster	Editor-in-Chief
Seraphina Brennan	Senior Editor
Brianna Royce	West Coast Editor
Brendan Drain	Contributing Editor
Eliot Lefebvre	Contributing Editor
Jef Reahard	Contributing Editor
Justin Olivetti	Contributing Editor
Krystalle Voecks	Contributing Editor
Rubi Bayer	Contributing Editor
Tateru Nino	Contributing Editor
Beau Hindman	Columnist
Edward Marshall	Columnist
Greg Waller	Columnist
Jeremy Stratton	Columnist
Larry Everett	Columnist
MJ Guthrie	Columnist
Patrick Mackey	Columnist
Ryan Greene	Columnist
Lisa Poisso	Columnist