Simple Summary Below Explanation.
Flagging @chris so this can get noticed and hopefully worked on
Today while doing some testing, also confirmed with @OmegaHeron, I noticed that if I logged out I was still on his domain but his domain server did not show I was anyone, just “Agent” but no name listed.
I decided to do some other tests and verify if I could use the lobby (esc key) and it showed me other places I could transport to. On those places, I could move about as usual and access content. I could right click on something and hide it/unhide it. I did not delete anything as I did not want to ruin someone’s hard work.
This persisted even with me closing the client, reopening it and clicking the
x to the login box
To sum this up, a non logged in avatar can do the following things without detection, other than if you log their IP address
- Not show up in the online box (which is by design but allows stealth movement)
- Use Lobby to find a “Place” to visit.
- Visit any Domain/Place not locked down (default settings allow anonymous access - even
- Edit entities at will which includes locking/unlocking/deleting/editing. (Serious Risk)
Until something is done to control access control to entities this will be a persistent problem and you will depend on your backups if items are deleted.
You can protect yourself by doing one or all of these things
- Depend on your backups of and reload them should something be deleted or altered.
- Do not make your place name public as “Lobby” works for unlogged in avatars (accessible via the ESC key).
- This is doable by restricting access to specific usernames or not putting a picture for your “Place” as it will not list it if those are missing.