The personal information of thousands of people who like to strap on a headset to enjoy sex with virtual people was accidentally exposed for two weeks.
Security researchers at the UK penetration-testing firm Digital Interruption unsuccessfully tried to get the company’s attention during that time, all while the details of approximately 20,000 customers of the adult virtual reality game SinVR were accidentally exposed.
Finally, last Tuesday, Digital Interruption went ahead and published details of one of multiple flaws in the SinVR app.
Digital Interruption’s Jahmel Harris said in the post that research had uncovered a high risk vulnerability in the SinVR application that leaked customer information, plus “several deviations from security best practice.”
After not hearing back from emails sent to addresses found on SinVR’s active Reddit account and reaching out via Twitter, Digital Interruption took it public with help from The Security Ledger and @haveibeenpwned creator Troy Hunt.
Digital Interruption researcher and founder Jahmel Harris told The Security Ledger that SinVR flaws were exposing names, email addresses, and other personal information via an insecure desktop app. Jahmel didn’t have an exact count of how many customers’ details had been exposed, but he estimated that it was more than 19,000 records.
Due to the nature of the issues found, we made the tough decision of bringing one of the issues to the attention of the public in order to warn users their data was not being protected adequatly. [sic]
Digital Interruption is giving SinVR a chance to fix the other flaws before making them public. As far as the one that’s now public goes, the bug would allow an attacker to download details (including names, email addresses and device [PC] names) for everyone with an account, as well as to download details (again including names, email addresses and device names) for those users that have paid for content using PayPal.
Harris told The Security Ledger that his team discovered the hole after reverse-engineering the SinVR desktop application and noticing a function named “downloadallcustomers.” The function called a web service that downloaded thousands of SinVR customer records, including email addresses, user names, computer PC names and so on. Passwords and credit card details weren’t part of the data dump, Harris said.
It’s not known whether anybody’s actually downloaded all customer details, but it’s possible, given a lack of authentication on the endpoint. As for Digital Interruption, during testing, it only downloaded enough users to prove the issue existed, by finding its own account.
Harris said in his post that the available personally identifiable information (PII) was plenty of ammunition for an attacker to launch social engineering attacks. Beyond that, though, it’s possible that some users could be blackmailed, given the potential embarrassment of being outted as a porn user.
We’ve seen it happen with other adult-themed breaches.
For example, after the 2015 breach at cheaters’ dating site Ashley Madison, extortion was one result. So too were suicides: six days after hackers exposed the names of millions of people who’d signed up for the service, a New Orleans pastor took his own life. A San Antonio city employee who had an Ashley Madison account also killed himself. There were two possibly related suicides in Canada, as well.
At any rate, SinVR eventually got the message. Harris updated his initial post to say that a SinVR employee contacted Digital Interruption on Monday, 15 January, to let them know that the company had fixed the issue.
Digital Interruption confirmed that it could no longer get at the customer data. Now, about all those other vulnerabilities: how about you give us a call, Digital Interruption said to SinVR:
Looks like @sinvrxxx has fixed the vulnerability we raised that exposed thousands of user details. Thanks to @troyhunt and @securityledger for helping us get the word out.
If they’d like to get in touch with us, we’d like to share details about some other vulns we found.
— Digital Interruption (@DI_Security) January 14, 2018
Mahhn
Alternate title: Virtual Sinners Interrupted by Digital exposure…
Mark Stockley
When you’re done with alternative titles for articles, let’s see some alternative security-related band names:
https://twitter.com/NakedSecurity/status/954001852370210817
Mahhn
Faith No More – is all I can think of off the top, for a real band.
I’m not a twitterer, so the socks shall not be mine. I won a box of cool stuff last year, so I’m very content with that :)
Wire tap, Bad Rabbit and the petyas, SSL IT not,
I give up :p
morroney
I guess this gives new meaning to the term “Penetration-testing”!