SinVR porn app flaw exposed user data ripe for blackmail

Virtual reality (VR) porn is an exciting new frontier. But it turns out it’s also a risky one as the SinVR app was found to be leaking 20,000 usernames and email addresses.

UK cyber security firm Digital Interruption found a vulnerability in the app which exposed the data of swathes of people who make use of the “private dungeon” experience SinVR offers.

Through reverse engineering the app, the team at Digital Interruption found a suspiciously named function called ‘downloadallcustomers’.

They found that through looking at how the web API (application programming interface) for the app worked, they were able to trigger the function manually which spilled out user details.

While credit card details and passwords weren’t leaked other identifying data was, which could throw up some sticky situations for SinVR users.

“Not only could an attacker use this to perform social engineering attacks, but, due to the nature of the application, it is potentially quite embarrassing to have details like this leaked,” explained Digital Interruption. “It is not outside the realm of possibility that some users could be blackmailed with this information.

The cyber security company made the flaw public after attempting to contact SinVR’s parent company InVR.

According to InVR, the vulnerability has now been fixed and the company has learned from the whole experience.

“Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system. We are making sure that all ‘back door’ intrusions are fully consensual,” a spokesperson told Alphr.

Porn apps have a reputation for often being infected with malware. SO if you’re a fan of porn on mobile or for use in VR headsets it’s worth proceeding with caution and ensuring you have protection.

Related: Samsung Galaxy S9 release

Have you encountered malware in porn apps? If so let us know on Facebook or Twitter.