Poor security left 20,000 porn-watchers exposed
Digital Interruption found the flaw in 'digital fantasy' app SinVR
Sharing data with adult websites has always been a risk. As if it's not bad enough to have your personal details in the hands of cyber criminals, knowing that they came from a naughty source also adds an element of embarrassment. Although not on the same level as the 37 million customers exposed by the Ashley Madison leak, the 20,000 customers potentially exposed by a fault in a new VR porn app probably feel the same way.
Cysec firm Digital Interruption discovered the vulnerability in the SinVR app, which has more than 300 backers on Patreon. True to its name, it aims to enable backers to live out their private fantasies; some of the characters on the Patreon page are modelled after Scarlett Johansson as Black Widow, Emilia Clarke as Daenerys Targaryen and Jessica Rabbit.
Digital Interruption reverse-engineered the app, which uses the .NET library, and found a number of vulnerabilities ‘and deviations from security best practice'. One of these, a function called ‘downloadallusers', predictably can be used to access a list of all customers with an account. This includes names, email addresses and devices used to access SinVR. Another similar function did the same for the list of customers who had paid using PayPal.
The security firm says that it went public after trying to contact SinVR's parent company, InVR, with its findings and receiving no response. SinVR itself wrote in a post on Patreon that it began fixing the issue ‘right away' after being informed about the hole.
Although credit card and payment details were not able to be lifted, an attacker could certainly use the data to identify customers and use the information for blackmail.
SinVR added, ‘Moving forward, we are confident in our ability to prevent security holes and will keep using a professional security service to audit our system. We are making sure that all ‘back door' intrusions are fully consensual'.