Zonja Capalini

Potential RL-identity exploit with Avatars United [UPDATED]

[UPDATEMSo Lambert has posted a clarification in Snickers‘ and Peter‘s posts that indicate there is no risk of emails being exposed.]

I’m reproducing below in its entirety a post by Peter Stindberg. I’ve seen many people from Opensim grids, specially from OSGrid, in Avatars United. Peter’s post identified a potential security breach in Avatars United by which a malicious application could harvest avatar-email associations. Apart from the exposure to spam, this can lead to disclosure of RL details for those who are using RL email addresses in association with their avatars.

[Start of Peter’s post]

For those of you using their RL-email for their SL-avatar, using the default settings of Avatars United might pose a risk of unintentional exposing the address!

Snickers Snook posted an insightful article about “Spam via Avatars United“, where she explained that since joining AU she receives significantly more spam on her supposedly undisclosed email address. She dug a bit into the settings and found that the default is that even non-installed AU-widgets can access certain data and send emails.

While Snickers primarily saw the spam problem, my friend Zonja Capalini pointed out that while being spammed is a nuisance, the bigger threat lies in the unsolicited disclosure of a potential RL email address and thus disclosure of the RL identity.

So if this concerns you, do two things:

  1. Read Snickers article and adjust your Avatars United settings
  2. Go and finally get a GMail/Yahoo/Hotmail/whatever address for your avatar

[End of Peter’s post]

February 16, 2010 Posted by | OpenSim, Security | , , , , | Leave a comment