[First posted 09-Mar-2010 here]
If you care about your privacy and identity then be sure to read and vote on this JIRA issue
In short, any Shared Media prim has the potential to get all sorts of information about you – IP Address, Operating System & version, language (gives a good idea of country), Client & version, all sorts.
Possible exploits are linking alts to mains, griefing, stalking, RL harassment, phishing, malware and viruses.
The JIRA entry and the subsequent comments have a lot more information. And this blog is also worth reading.
I’m kind of surprised how few people seem bothered by this.
Update: This blog comment highlights a very scarily plausible scenario for how a phishing attack could successfully compromise your SL account.
The aforementioned blog comment I referred to, reproduced with permission:
MSo Lambert – 28/Feb/10 09:55 AM
Hmm there is also an additional security risk, potentially much more dangerous than having your IP address exposed – phishing. We all know how devastating it can be if you log on PayPal or your online banking site and it turns out it was actually a phishing site designed to trick you into giving them your sensitive login information.
To avoid phishing, we usually thoroughly check the actual URI of the site (make sure it starts with http://www.paypal.com for example), check the SSL certificate and / or use some 3rd-party anti-phishing solutions to spot malicious sites like the Google’s Safe Browsing (or turn on the built-in features in many browsers).
Now with how Shared Media is designed at the moment, a creator can disable the browsing controls (that usually hover above the Shared Media surface) for other users. This can potentially be extremely dangerous since I can’t immediately see or scan the actual URL of the media being displayed. I can dig it out by using advanced media controls, but by then it might be too late.
Imagine this scenario. After a few months, most SL creators start displaying their XStreet items inside their shops on Shared Media surfaces – it’s so common we don’t even pay attention to it. I land inside some new in-world shop that looks legitimate and I see an interesting XStreet item displayed on a shared media surface inside the shop. I decide to buy it and I log on XStreet directly on that shared media surface. Of course I didn’t know the XStreet login was actually a carefully designed phishing site indistinguishable from the actual XStreet login and I just gave away my Second Life avatar name and password. And a few moments later, my L$ and US$ balance both show 0,00.
As Shared Media takes off, people will probably be logging into much more than just XStreet – from Google and GMail accounts, collaboration tools, intranet education sites etc. and phishing could really become a huge issue.
In order to avoid this, I believe the users should have their own control over displaying browsing controls (or at least showing the actual URL of the media by default at a prominent place and visible place on the screen) which would need to override whatever the creator has set (so the creator’s settings would just be the preferred or suggested settings, and could be overridden by the viewing user’s setting).
Well, at least the Phoenix / Firestorm team are taking this seriously even if Linden Lab are not.
http://secondden.blogspot.com/2011/02/answering-rz-users-complaints.html