Researchers at the firm Digital Interruption on Tuesday warned (https://www.digitalinterruption.com/single-post/2018/01/09/Attention-SinVR-users) that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. (https://securityledger.com/2018/01/adult-vr-application-spills-data-on-thousands/)
Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.
SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on.
The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named “downloadallcustomers“. That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.