No company wants its user data leaked online or exposed, but such incidents can be made all the worse when they include an element of embarrassment. While not on the same level as something like the Ashley Madison hack, a flaw in a VR porn app exposed the details of 20,000 people.
It was UK security firm Digital Interruption that discovered the high-risk vulnerability in the SinVR app. The game lets users live out their fantasies in a “private dungeon” and boasts features such as “Boob Jiggling” and “Hip Controls.”
After reverse-engineering the app, which uses Microsoft's .NET library, the researchers found a buried function called “downloadallcustomers” that allowed them to, as the name suggests, download a list of all users. It didn’t include credit card details or passwords, but it did include their names, email addresses, and device names.
The company, which was reviewing the security of several adult websites, also found a list of all users who had used PayPal to purchase VR scenes.
"Due to the nature of the application, it is potentially quite embarrassing to have details like this leaked," wrote Digital Interruption. "It is not outside the realm of possibility that some users could be blackmailed with this information."
Digital Interruption went public with its findings after SinVR’s parent company failed to respond to emails about the app’s flaws. InVR Inc. has now fixed the issues, but it seems to dispute the claims that it ignored the notifications.
“Digital Interruption gave us ample warning before posting their finding and we fixed the issue as soon as it was revealed to us," said a spokesperson for the company. "We are in contact with them and they confirmed that the outlined security hole was closed. Altogether, it has been a tremendous learning experience, which will serve to enhance our security and we are glad that it was conducted ethically.”
"Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system. We are making sure that all ‘back door’ intrusions are fully consensual.”
Back in 2015, extramarital affair site Ashley Madison was hacked, resulting in 10 GB of user data being dumped online. Another major porn-related breach occurred in 2016 when the account details of 800,000 Brazzers forum users appeared on the dark web.
Here's the mother of all embarrassing business ideas:
