Virtual Reality apps can be fun to use but they also carry a major threat since they are connected to the Internet – This time, SinVR app was caught leaking user data due to critical vulnerabilities.
A group of researchers from Digital Interruption cybersecurity firm identified a set of critical vulnerabilities in a Virtual Reality porn app SinVR which if exploited could allow attackers to steal personal detail of its users – To researchers, the app exposed data of 20,000 registered users.
What happened
On December 28th, 2017, one of the researchers from Digital Interruption discovered vulnerabilities in SinVR’s app, upon exploiting, it gave him access to usernames, email addresses and download details of 20,000 users.
But it did not end there, the researcher noted that there was no authentication on the endpoint making it possible for hackers to download a full list of users of SinVR. This means the vulnerabilities would let hackers know everything about a user, for instance, their fantasies and who bought scenes through PayPal. However, researchers could not access user passwords or credit card data.
SinVR did not reply to researchers
After finding the vulnerabilities, Digital Interruption decided to share their findings with SinVR in order for it to fix those flaws before a malicious threat actors take advantage of them. Therefore, the company sent several emails to the email address they found, sent messages to its Twitter account and also sent private messages to its active account on Reddit but there was no response from SinVR.
This forced researchers to publish one of their findings on their blog. However, on January 15th, 2018, Digital Interruption received a response from SinVR revealing that they have fixed the issue which was also confirmed by researchers as they had no longer able to access customer data.
“Altogether, it has been a tremendous learning experience, which will serve to enhance our security and we are glad that it was conducted ethically,” said SinVR.
Dangers
Although the vulnerabilities reported by researchers have been fixed one can hope that cybercriminals did not find these flaws before Digital Interruption. However, such incidents can cause users a great deal of online and physical threat since malicious attackers can use the data to blackmail users, demand money or threat them with leaking their personal details to the public.
If you use VR technologies for such fantasies make sure your data is not exposed to the public.
Previously, the cheating site Ashley Madison suffered a data breach in which personal details of 37 million users were leaked online. The leak was so threatening that a former police captain of the City of San Antonio police department committed suicide after his official email address was found in the data leak.
Top, featured image via DepositPhotos/InnovatedCaptures