A team of security researchers recently uncovered serious security flaws in the desktop app of adult VR platform SinVR that allowed them to access names and e-mail addresses of over 20,000 app users.
The researchers came across a function on the desktop app of SinVR that allowed anyone to download sensitive details of thousands of app users from the platform’s web API.
In the recent past, hackers looking for financial gain either by targeting banks or stealing and selling personal data of citizens to fraudsters, have been targeting a number of apps and websites that contain large amounts of customer data, yet fail to secure them effectively enough.
Among those targeted are a number of platforms that offer pornographic content to thousands, perhaps millions of users across the world and as such, also collect login details and personally identifiable information of all subscribers.
Last year, millions of people who visited popular adult website Pornhub in the United States, the UK, Canada, and Australia were exposed to an ad fraud malware which hackers had injected to the site by masquerading it as fake browser update adverts. The flaw had exposed users of popular browsers like Google Chrome, Firefox and Microsoft Edge.
Even though today’s hackers are highly trained and use sophisticated tactics to compromise websites and apps, a majority of breaches occur because of the presence of glaring security flaws in such platforms which are either overlooked or entirely ignored for long periods.
Recently, security researchers at Digital Interruption were able to access names, e-mail addresses and device names of over 20,000 users of people who subscribed to SinVR, a popular VR app that offers pornographic content in a virtual reality environment.
While reverse engineering the desktop app of SinVR, the researchers discovered a function called ‘downloadallcustomers’ which they performed manually after studying how the web API of SinVR worked and found themselves staring at names, e-mail addresses and device names of over 20,000 app users. According to them, any hacker can use a similar trick to access personal details of SinVR users easily.
They added that the flaw allowed ‘an attacker to download details (including names, email addresses and device (PC) names) for everyone with an account as well as download details (again including names, email addresses and device names) for those users that have paid for content using PayPal.’
‘As this is quite a lot of PII, not only could an attacker use this to perform social engineering attacks, but due to the nature of the application it is potentially quite embarrassing to have details like this leaked. It is not outside the realm of possibility that some users could be blackmailed with this information,’ they added.
The researchers initially struggled to obtain any response from the developers of SinVR or the firm’s parent company InVR Inc after contacting them via e-mail and on social media platforms. This lack of response, coupled with the real privacy threat faced by thousands of SinVR users, forced them to go public with their findings in late December.
Two days ago, SinVR acknowledged that security flaws as highlighted by the researchers did exist and that the firm had promptly plugged them and ensured that similar attacks will not occur in the future.
‘Digital Interruption gave us ample warning before posting their finding and we fixed the issue as soon as it was revealed to us. We are in contact with them and they confirmed that the outlined security hole was closed. Altogether, it has been a tremendous learning experience, which will serve to enhance our security and we are glad that it was conducted ethically,’ the firm told tech news site Alphr.