An adult VR app reportedly exposed the private and sensitive information of 20,000 customers. High-risk vulnerabilities discovered in the SinVR app saw personally identifiable information (PII) of the app's customers leaked for days before the firm fixed the issue.
According to security researchers at London-based cybersecurity firm Digital Interruption, one of the flaws in the app could have allowed hackers to download users' names, email addresses as well as device names. The researchers raised concerns about the possibility of the data exposure leaving the app's users at risk of being the victim of hackers launching social engineering attacks or even blackmail.
According to the security experts, the flaw could have allowed hackers to download the personal details of every single SinVR customer with an account. The vulnerability could have also let hackers download the details of users who paid for content using PayPal.
The researchers said that they disclosed the flaw to SinVR, attempting to contact them via email, Twitter and Reddit but failed to hear back from them. However, around five days after the researchers first disclosed details about the problem to the firm, SinVR finally fixed the patch.
"Digital Interruption gave us ample warning before posting their findings and we fixed the issue as soon as it was revealed to us," a spokesperson for SinVR told Alphr. "We are in contact with them and they confirmed that the outlined security hole was closed. Altogether, it has been a tremendous learning experience, which will serve to enhance our security, and we are glad that it was conducted ethically.
"Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system. We are making sure that all 'back door' intrusions are fully consensual," the spokesperson added.
Although the flaws have now been fixed, it is still unclear whether any malicious entities accessed users' information while the app was still leaking data.
"As this is quite a lot of PII, not only could an attacker use this to perform social engineering attacks, but due to the nature of the application, it is potentially quite embarrassing to have details like this leaked. It is not outside the realm of possibility that some users could be blackmailed with this information," Digital Interruption researchers said in a blog.