USED to being ripped-off at the movies? Two hackers have designed a video clip in Second Life that automatically steals money from people as they watch it.
Second Life is a virtual world where users can create avatars and purchase virtual property such as land, housing, furniture and clothes.
Charles Miller and Dino Dai Zovi, independent security consultants and Macintosh hacking enthusiasts, have discovered how Second Life can have virtual pickpockets as well.
Second Life plays videos using Apple's QuickTime player, which automatically starts playing a clip if a user's avatar walks within viewing-distance of the screen.
Mr Miller and Mr Dai Zovi exploited a known security flaw in the QuickTime software to make a video that takes control of unsuspecting Second Life users' assets.
The hackers were then able to transfer virtual money – which can be exchanged for real money – from their victims' accounts into their own.
Currently the video is being used as a cautionary alert only. When viewed, it takes 12 Linden Dollars (approximately 55c) from the victim's account and forces their avatar to say: "I have just been hacked."
Linden Labs, the company behind Second Life, alerted players to the exploit on its blog and warned them to switch off streaming video in their preferences, but stopped short of disabling video for all users.
"We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video," the company said.
Linden blamed the QuickTime security flaw for the exploit and said Apple had not yet released an update to fix the problem.
"The bug is in QuickTime, and not in the Second Life viewer. When Apple has submitted a fix, we will integrate it into the viewer as quickly as possible," the company said.
An Apple spokeswoman said the company was "looking into it".
