Adult Themed Virtual Reality App spills Names, Emails of Thousands

Thousands of users of an adult virtual reality application risk having their personal information, including names and email addresses exposed, according to researchers in the UK.

Thousands of Internet denizens who wanted to explore their virtual naughty side are in for an unpleasant surprise after a firm offering an adult virtual reality game, SinVR, accidentally exposed information on around 20,000 customers to security researchers.

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger.

Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

SinVR Homepage
SinVR, a company offering adult-themed virtual reality games, exposes data on thousands of customers via a leaky desktop application, according to researchers at the firm Digital Interruption.

SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, teacher, and so on.

According to the post, Digital Interruption found a high risk vulnerability in the SinVR application that allows an attacker to download details such as the customer’s name, email addresses and device names for everyone with a SinVR account. Also exposed was data including names, email addresses and device names for customers who paid for the SinVR content using PayPal.

Researchers at Digital Interruption, a penetration testing firm based in Birmingham, UK, made a survey of various adult themed applications and decided that the SinVR application looked like the most fruitful ground to explore. The group discovered the hole after reverse-engineering the SinVR desktop application and noticing a function named “downloadallcustomers“. That function called a web service that downloaded thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.

Screenshot - SinVR data
A doctored screenshot of leaked data from a SinVR application. (Image courtesy of Digital Interruption.)

The function was not accessible from the SinVR application, but by studying how the SinVR web API (application program interface) worked, Harris was able to trigger it manually. And, because no authentication is required, it would be possible for any SinVR user to download all customer records, Harris said.

He said the application, which relied on a Microsoft .NET library, was simple to reverse engineer and analyze. However, contacting the firm has proven challenging. More than one effort to reach out to the parent company, InVR Inc. have fallen flat, including messages sent by email, Twitter and on Reddit forums where the company is active.

Multiple efforts by The Security Ledger to contact inVR Inc. were also not returned.

The security of adult themed web sites and toys has been found wanting before. The firm Pen Test Partners discovered a wide range of security flaws in adult toys including wireless vulnerabilities and vulnerable mobile applications. Similarly, the researcher Alberto Segura likewise identified flaws in mobile applications that were companions to and allowed remote control of adult toys.

While the risk of physical harm resulting from the flaws is low, the sensitive nature of the toys presents a number or risks.

“Not only could an attacker use this to perform social engineering attacks, but due to the nature of the application it is potentially quite embarrassing to have details like this leaked. It is not outside the realm of possibility that some users could be blackmailed with this information,” Harris wrote.

 

Spread the word!

16 Comments

  1. Pingback: Adult Themed VR Game Leaks Data On Thousands - R- Pakistan Daily Roznama

  2. Pingback: Adult Themed VR Game Leaks Data On Thousands – JeffPerales.com

  3. Pingback: 20,000 Users Personal Information Exposed in Adult VR Data Leak

  4. Pingback: Adult Themed Virtual Reality App spills Names, Emails of Thousands | The Linkielist

  5. Pingback: تطبيق واقع افتراضي إباحي يُعرّض بيانات آلاف المستخدمين للخطر • افتراضي

  6. Pingback: Adult VR app SinVR exposes names and emails of thousands of users – Tech News Headline

  7. Pingback: Adult VR app SinVR exposes names and emails of thousands of users | Tech News Release

  8. Pingback: VR porn app ‘SinVR’ exposes details of 20,000 customers | | Virtual Reality Insider

  9. Pingback: VR Porn Company Promises Only Consensual 'Back Door Intrusions' After Researchers Discover Security Hole – We are Infinite

  10. Pingback: VR Porn Company Promises Only Consensual 'Back Door Intrusions' After Researchers Discover Security Hole - Today Recently

  11. Pingback: VR Porn Company Promises Only Consensual 'Back Door Intrusions' After Researchers Discover Security Hole - Today Recently

  12. Pingback: VR Porn Firm Guarantees Solely Consensual 'Again Door Intrusions' After Researchers Uncover Safety Gap - Kemll.com

  13. Pingback: Virtual reality porn app SinVR exposes details of 20,000 customers – STE WILLIAMS

  14. Pingback: Virtual reality porn app SinVR exposes details of 20,000 customers | Infosec News Ireland

  15. Pingback: Virtual reality porn app SinVR exposes details of 20,000 customers - Account Security Lockdown

  16. Pingback: Episode 79: Hackable Nukes and Dissecting Naughty Toys | The Security Ledger