Adult VR app SinVR exposes names and emails of thousands of users

By
Adult VR app SinVR exposes names and emails of thousands of users

Security researchers have uncovered a serious vulnerability in the pornographic VR game

SinVR is a pornographic virtual-reality game offering users their own “private dungeon”. As Security Ledger reports, tens of thousands of customer records were uncovered by UK security firm Digital Disruption, which found a high-risk vulnerability in the SinVR application. This led the ethical hackers to the names, email addresses and device names for everyone with a SinVR account, as well as anyone who paid for content using PayPal.

“Not only could an attacker use this to perform social engineering attacks, but, due to the nature of the application, it is potentially quite embarrassing to have details like this leaked,” writes Digital Disruption in a blogpost. “It is not outside the realm of possibility that some users could be blackmailed with this information.

Digital Disruption discovered the vulnerability as part of a survey of adult websites. The team reverse engineered the SinVR desktop app, and came across the inconspicuously named function “downloadallcustomers”. The function couldn't be enabled from the application itself, but by looking at how the web API worked, the researchers triggered it manually.

After being frustrated in their attempts to contact the parent company of SinVR, InVR Inc, the researchers took the step to go public with their findings – which they did last week, although not without censoring personal details in their screenshots. They claim it would be possible for an attacker to download a full list of SinVR users, although password and credit card details are not part of the data dump.

(Above: Censored image of leaked data obtained by Digital Disruption. Credit: Digital Disruption)

The users on a site like SinVR may be small compared to those on the infidelity dating site Ashley Madison – which was breached in 2015 – but, as Digital Disruption notes, an attacker could similarly use the sensitive nature of the app for blackmail.

This article originally appeared at alphr.com

Copyright © Alphr, Dennis Publishing
Tags:

Most Read Articles

The new Telstra – only 20 years in the making...

The new Telstra – only 20 years in the making...

How to: Boot Windows 10 in Safe Mode

How to: Boot Windows 10 in Safe Mode

Spyro Reignited Trilogy first gameplay shows it could be the perfect nostalgia trip

Spyro Reignited Trilogy first gameplay shows it could be the perfect nostalgia trip

Explainer: why Chinese telecoms participating in Australia’s 5G network could be a problem

Explainer: why Chinese telecoms participating in Australia’s 5G network could be a problem

Would you like to receive

Our Newsletter?

Most popular tech stories