Thanks to Sensepost for reporting this story last month. They describe an advisory published by Charles Miller and Dino Dai Zovi whereby arbitrary characters in Second Life are digitally mindjacked and robbed. By walking on "land" owned by an attacker, and having Second Life configured to automatically display video, a victim's avatar and computer can be exploited via the November 2007 Quicktime vulnerability. In the YouTube video you can see "Sussy McBride" be freeze, shout "I got hacked," and give her money to the attacker.
I am fascinated by this story because it is the natural progression from a 2006 post Security, A Human Problem describing a Second Life denial of service attack. In that post I said:
First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point these virtual worlds will need security consultants, just like the physical world. I wonder if someone could write a countermeasure at the individual player level for these sorts of attacks?
I wonder if anyone in Second Life will start creating disposable bodyguard avatars to walk in front of highly-valued avatars, thereby acting as "digital mine detectors?"