In order to clear up a bit of confusion, I’ve set up a system to show what information the Second Life viewer sends when it accesses a media stream or accesses a Web-site via the builtin browser.

That script is here: http://taterunino.net/env.cgi

Open up the internal browser in your viewer and paste in the URL.

An LSL script can get your browser to add additional information, like your location, avatar name or avatar UUID if it chooses to. What’s shown, with this system is just what is being sent by default, however.

So, what’s there?

Well, there’s your IP address and port, obviously. A request can’t be sent without an origin to answer to. If you’re on a corporate or university network, or you’re connected through a cost-conscious ISP, the IP address that is sent may be the same one as many other people.

In among the viewer identity data, you’ll also usually find the name and version of the viewer being used and which viewer skin you have selected.

Lastly, some of the HTTP information may indicate what language you’ve set as the default for your viewer.

Hope you find that useful.

[Update]

How can you detect alts with this?

Well, up until the most recent viewers (that is, the most recent viewer 2 viewers), cookies used by the HTTP system in the viewer were held across accounts. So, if you looked in as Foo Bar, requesting a Web-page, parcel media stream or shared media could set/get an HTTP cookie in your viewer.

Then, it could ask for that cookie next time, and it would be the same cookie, regardless of which account you were logged into, thus identifying which accounts used that viewer on your PC.

As far as I know all Second Life viewers have this vulnerability. That’s all of the first-party and third-party viewers based off of version 1.x, starting with 1.5 or 1.6, and all the initial releases of viewer 2 (and any third-party viewers based on that), excepting the latest versions. So, this is really something you could do successfully since 2005.



Got a news tip or a press-release? Send it to [email protected].
Read previous post:
Close