The Daily Swig Web security digest

Flaw patched in VR porn app that left 20,000 user details exposed

James Walker | 18 January 2018 at 12:17

Researchers discovered API vulnerability using Burp Suite.

The developers behind SinVR, a virtual reality porn app with an estimated 20,000 users, have patched a “high-risk” vulnerability that could have allowed an attacker to download account holders’ personally identifiable information.

After reverse engineering the adult entertainment app, researchers at UK-based cybersecurity firm Digital Interruption noticed a function that would apparently allow the application to download a list of all usernames, email addresses, and device names, and another that would download a list of all account holders who had used PayPal to purchase virtual reality pornographic ‘scenes’.

“Although we weren’t able to trigger this function from the application itself (it would have been possible by modifying the binary), by looking at how the web API worked, it was possible to make a call to these endpoints manually,” Harris said in a recent blog post.

“As there is no authentication on the endpoint, it would be possible for an attacker to download a full list of users of SinVR. During testing, Digital Interruption only downloaded enough users to prove this was an issue by finding our own account.”

Speaking with The Daily Swig via email earlier this week, Digital Interruption researcher Jahmel Harris confirmed the vulnerability was identified using PortSwigger’s Burp Suite. “We believe this is likely to be isolated to SinVR, as it was an issue with how they were accessing data with their API,” he said.

Despite the sensitive nature of the flaw, which exposed users to potential embarrassment, or even blackmail, Digital Interruption went public with its findings after SinVR failed to acknowledge the vulnerability for more than two weeks.

The flaw was ultimately patched by January 15, although it seems the developers still have some housekeeping to carry out on their source code.

“Other vulnerabilities that do not directly impact users will be released soon, but we’d like to give the developers of SinVR time to fix them should they wish,” Harris stated.

News of the SinVR security loophole follows the September 2016 announcement that the personal details of 800,000 registered users of porn site Brazzers were compromised in a data breach.

More recently, an October 2017 study from Proofpoint found that millions of Pornhub users in the US, Canada, UK, and Australia were exposed to a malvertising attack that was active for more than a year.