The Security Ledger

Adult Themed Virtual Reality App spills Names, Emails of Thousands

Thousands of users of an adult virtual reality application risk having their personal information, including names and email addresses exposed, according to researchers in the UK.

Thousands of Internet denizens who wanted to explore their virtual naughty side are in for an unpleasant surprise after a firm offering an adult virtual reality game, SinVR, accidentally exposed information on around 20,000 customers to security researchers.

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger.

Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

SinVR, a company offering adult-themed virtual reality games, exposes data on thousands of customers via a leaky desktop application, according to researchers at the firm Digital Interruption.

SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, teacher, and so on.

According to the post, Digital Interruption found a high risk vulnerability in the SinVR application that allows an attacker to download details such as the customer’s name, email addresses and device names for everyone with a SinVR account. Also exposed was data including names, email addresses and device names for customers who paid for the SinVR content using PayPal.

Researchers at Digital Interruption, a penetration testing firm based in Birmingham, UK, made a survey of various adult themed applications and decided that the SinVR application looked like the most fruitful ground to explore. The group discovered the hole after reverse-engineering the SinVR desktop application and noticing a function named “downloadallcustomers“. That function called a web service that downloaded thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.

A doctored screenshot of leaked data from a SinVR application. (Image courtesy of Digital Interruption.)

The function was not accessible from the SinVR application, but by studying how the SinVR web API (application program interface) worked, Harris was able to trigger it manually. And, because no authentication is required, it would be possible for any SinVR user to download all customer records, Harris said.

He said the application, which relied on a Microsoft .NET library, was simple to reverse engineer and analyze. However, contacting the firm has proven challenging. More than one effort to reach out to the parent company, InVR Inc. have fallen flat, including messages sent by email, Twitter and on Reddit forums where the company is active.

Multiple efforts by The Security Ledger to contact inVR Inc. were also not returned.

The security of adult themed web sites and toys has been found wanting before. The firm Pen Test Partners discovered a wide range of security flaws in adult toys including wireless vulnerabilities and vulnerable mobile applications. Similarly, the researcher Alberto Segura likewise identified flaws in mobile applications that were companions to and allowed remote control of adult toys.

While the risk of physical harm resulting from the flaws is low, the sensitive nature of the toys presents a number or risks.

“Not only could an attacker use this to perform social engineering attacks, but due to the nature of the application it is potentially quite embarrassing to have details like this leaked. It is not outside the realm of possibility that some users could be blackmailed with this information,” Harris wrote.


Spread the word!