Even virtual worlds are not immune from hacking, and sometimes the hacks can escape back into the real world. According to Independent Security Evaluators, the most recent QuickTime vulnerability enables expert Second Life hackers to steal virtual “Linden dollars” from other players who enter their virtual land. Since Linden dollars are convertible back to real dollars, the hack, in essence, enables real world theft. And it could be even worse.

The QuickTime vulnerability, disappointingly still unfixed by Apple, lets hackers create maliciously crafted QuickTime files that can essentially take over any machine (Windows or Mac) playing them. In Second Life, a QuickTime file can be automatically played on the machine of a user who enters another user’s virtual land (and at pretty much any other time), unless the entering user has disabled this capability (by unchecking “play streaming video when available” in Preferences).

Once played, the malicious QuickTime file can cause the user’s machine to do anything that file tells it to do. In the case of this hack, that’s simply having the user’s avatar transfer virtual dollars to the attacker, but it could even be something worse, such as installing a trojan horse on the player’s machine (especially if the user is running Second Life under an account with administrative access, which most users do).

Virtual worlds are very cool, and will only be getting cooler as the technology advances. But, as with most other recent advances, their vulnerabilities are likely to increase as well. Just as in the real world we have learned how to be safer (but can never be completely safe), we’re going to have to learn similar lessons in virtual worlds as well (and be aware of similar limitations on being completely safe).