"Second Life" is also victim of SQL Injection

By N-Stalker Team on February 12, 2009

According to Hacker’s Blog, the famous virtual world “Second Life” was susceptible to a SQL injection vulnerability that eventually led to customer’s data, including payment details.

Although evidences are obfuscated enough to protect personal data, it is clear that a SQL injection flaw was used to obtain full access to their database under “Events” section of the website. “Second Life” has a virtual currency called “Linden” that is widely used inside the game to purchase goods and do trades.  Some of the evidences show that “Linden” amounts can be retrieved (maybe even updated). In the last image, it shows a mysql table schema with column names that resemble payment information such as credit card fields.

We are testifying a wide number of security incident cases on which SQL injections play an important role. These facts demonstrate how important is becoming the discipline of “Secure Development Life Cycle” for web applications.

This entry was posted in Community Blog and tagged , , , . Bookmark the permalink.