Active Worlds Security Team (AWST)
Written by Awportals.com
In 2002, much attention had been drawn to insecurities within the Active Worlds software. The most notable event that suggested this was when 'GAVROCHE' and 'GAMER' executed a modified world server within Active Worlds which faked a user count of over 14,000 users.

The resulting communciations between 'GAVROCHE' and Active Worlds Staff lead to the development of a team of like minded individuals with a great knowledge of protocols and exploitation being formed to improve the security of Active Worlds software. The team were asked to reportr their findings directly to Active Worlds developer 'ROLAND' and in return would not be held accountable for minor exploitations made to the Active Worlds software.

Whilst externally the AWST seemed like a force for good in the Active Worlds universe. It was mostly a facade to allow the continuation of exploitation in the Active Worlds universe. Now that 'GAVROCHE' had permission (or sorts) to modify Active Worlds software - he was free to explore the greater possibilities within the software. This lead to the development of a number of exploits within Active Worlds:

- Cracked Universe Server
A version of the Active Worlds universe server that had licensing and remote access code removed to allow any individual to host a universe without cost. This software was used to host illegitimate universes such as X-Worlds.

- Active Worlds Citizen Impersonation
'GAVROCHE' was able to identify a way to completely assume the identity of another citizen in Active Worlds. Using a modified world server he was able capture all the required information that a browser might give to a world server to be identified as a specific citizen (i.e. citizen number, session number and random ident code). He then found a way (using AWProxy) to pass this information through to his browser allowing him to apply the information to his own account and visit other worlds assuming the identity of the user that had entered his world.

Screenshot: http://www.numix.net/impersonation.jpg

This had profound implications within the Active Worlds universe as it was now possible to assume the identity of ANY citizen that entered the world 'ANTICRAX' instantly whether they were online or not. If someone was impersonating a citizen whilst in the same world, their avatar would become invisible to other users and their text would appear to be spoken by the original user. The impersonator would also assume building and any other rights that the victim may have in a world (include where possible, Caretaker privilages). Many stunts were performed by users of the impersonation exploit including the ejection of Peacekeepers from AlphaWorld, targeted attacks on citizens and the deletion of other citizens property. As soon as the effects became aparent, 'GAVROCHE' disabled the exploit and denied any involvement.

---

The AWST did provide useful information to AWI that lead to improvements in security within the Active Worlds browser but their long list of exploits caused an equal amount of damage to the Active Worlds community and fueled others desires to attempt such activites. The AWST disbanded later in 2003.

Linking to this Article

BBCode: [url=http://www.awportals.com/aw/articles/article_76/]Active Worlds Security Team (AWST)[/url]
 
Share:
Facebook
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2024. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn