Thousands of users’ personal information left exposed by a virtual reality porn app prompted the company to do the only appropriate thing: Fix the problem and make a joke about butt sex.
Image: Screenshot via SinVR/YouTube
Researchers at UK-based security firm Digital Interruption found that the app, SinVR, included a buried function called “downloadallcustomers”. After the researchers reverse-engineered the app, the function allowed them to manually – you guessed it – “download a list of all users,” according to Digital Interruptions.
While the data did not include passwords or credit card information, reports the Security Ledger, the penetration testers estimate that the security hole exposed some 19,000 users’ data, including their names, email addresses and device names. A separate function allowed them to download the same details for users who paid for VR scenes using PayPal.
Digital Interruption researcher Jahmel Harris told the Security Ledger that his firm publicised the security vulnerability after multiple failed attempts to reach SinVR’s parent company, InVR Inc. However, a SinVR spokesperson told Gizmodo that Digital Interruption “gave us ample warning before posting their finding and we fixed the issue as soon as it was revealed to us”.
“We are in contact with them and they confirmed that the outlined security hole was closed,” the spokesperson said in an email. “Altogether, it has been a tremendous learning experience, which will serve to enhance our security and we are glad that it was conducted ethically.”
“Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system,” the spokesperson added. “We are making sure that all ‘back door’ intrusions are fully consensual.”
Back door intrusions – get it?
Security flops in sex-related services are not unique to SinVR. In 2012, a hacker obtained the personal information of more than 350,000 Brazzer users. The hacker was reportedly able to gain access to emails, usernames, encrypted passwords, and even determine the full name and origin country of some users.
Last year, some Reddit users claimed that sex toy manufacturer Lovense recorded audio of them without their consent using the accompanying app to its devices. The company blamed a bug and updated its app.
Standard Innovation, the makers of We-Vibe, another smart toy manufacturer, settled a lawsuit in March after hackers at the DEF CON security conference discovered that smart vibrator user data was being sent to the company in real time. Standard Innovation agreed to pay up to $US10,000 ($12,554) for each instance of collected data. Following the settlement, the company said in a statement that it “enhanced our privacy notice, increased app security, provided customers more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app”.
Whether you think the security of your most intimate data is a joke or not, there’s no question that vulnerabilities like these are crap.