Flaw in VR porn app SinVR left thousands of user details exposed

17 Jan 2018

Image: TONG4130/Shutterstock

A SinVR app vulnerability could have allowed hackers to download account holders’ personal details.

Virtual reality (VR) pornography app SinVR has fixed a security flaw that could have seen hackers and cyber-criminals download personal information related to account holders.

Data left out in the open

UK security firm Digital Disruption originally discovered the flaw while carrying out general security tests on a series of digital products in the adult market.

The app vulnerability meant that names, email addresses and device names for every SinVR account holder were publicly available. Anyone who paid for content on the app using PayPal was also vulnerable to the flaw.

Although passwords and payment details were not exposed in the hack, the problem still had the potential to affect individual users. The researchers decided not to give exact details of how attackers could access this information, in order to maintain ethical standards.

Social engineering attacks and the potential for blackmail cases led the researchers at Digital Disruption to warn the SinVR developers of the flaw through email, Twitter and Reddit messages.

When no response was received from the company behind the app, security researchers publicised the information to notify people who may be affected.

SinVR responds

SinVR stated that it had fixed the vulnerability as soon as Digital Disruption staff had made it aware of the issue, saying: “Altogether, it has been a tremendous learning experience, which will serve to enhance our security, and we are glad that it was conducted ethically.”

The SinVR team told Alphr it was confident that it would be able to stop similar attacks in future, and would be using a professional security system on a continuous basis to conduct audits.

This incident is somewhat similar to the major data breach suffered by the extramarital affairs website Ashley Madison in 2015.

Hackers posted personal information and email addresses from 32m of its members, citing anger at the website’s core mission and business practices as their motivation.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com