December 22nd, 2008

PlayStation Home virtual world hacked

Posted by Ryan Naraine @ 10:23 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Data theft, Exploit code, Flash, Hackers, Malware, Passwords, Social Networking Applications, Viruses and Worms, Vulnerability research

Tags: Virtual World, Sony Playstation, Ryan Naraine

Hackers are using a combination of DNS redirection, software vulnerabilities and the open-source Apache Web server to exploit holes in Sony’s new PlayStation Home virtual world, according to a Telegraph report.

The hack is allowing developers to customize their PlayStation Home experience beyond the options provided by Sony but there’s a worrysome component to this platform weakness…

[T]he security loophole that allows tech-savvy users to upload any file to the Home server, or delete any file from the Home server. It raises the spectre of malicious hackers spreading viruses and malware across the PlayStation Home platform, or even launching sustained attacks on the virtual world’s servers to force it offline.

[ SEE: QuickTime hack allows Second Life currency theft ]

More from the report:

One hack uses a combination of the Apache web server and DNS re-direction to allow users of PlayStation Home to watch their own movies on display screens within the game, and change text and music to whatever they choose.

A second hack enables players to download any file they want from PlayStation Home’s servers, such as a fellow user’s profile or avatar, the cartoon-like representation of themselves they create to appear in the virtual world.

This is not the first documented vulnerability — and attack — affecting virtual world users.   A year ago, security researchers Dino Dai Zovi and Charlie Miller found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.

These attacks — both real and theoretical — are a major worry because of the growth of malware targeting online games.  Property accumulated in virtual world accounts have financial value in the real world, leading to an exploding underground market for stolen virtual world accounts.

At the Virus Bulletin conference this year, I listened to an eye-opening discussion about the underground virtual world hacking economy and I’m convinced we’ll see these types of attacks expand to affect computers users inside and outside of the virtual worlds.