Adult Themed VR Game Leaks Data On Thousands

chicksdaddy writes from The Security Ledger: Somebody deserves a spanking after personal information on thousands of users of an adult virtual reality game were exposed to security researchers in the UK by a balky application. Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application -- a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on. The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers." That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.

Naughty teacher?

[110010001000]

Is the naughty teacher theme the one where they teach Evolution?

Re:Naughty teacher?

[rmdingler]

The rather obligatory teaching theme ought to be:

If you enter your genuine personal information into a porn site's data base, you're taking a silly risk.

Re:Naughty teacher?

[Ol+Olsoc]

Is the naughty teacher theme the one where they teach Evolution?

No, it's the 35 year old female boinking her underage students.

Re:Naughty teacher?

[Ol+Olsoc]

The rather obligatory teaching theme ought to be:

If you enter your genuine personal information into a porn site's data base, you're taking a silly risk.

Depends on whether you are worried about it or not, I guess. If a person is concerned about their data leaking out, they should never use computers at all..

Re:Naughty teacher?

You're using a computer, so you must not be worried. Feel free to post your real name, address, date of birth, mother's maiden name, first pet, city of birth and last four of your social security number here.

After all, there's nothing for you to be worried about, right?

Re:Naughty teacher?

No, it's the 35 year old female boinking her underage students.

I wish I had been one of those students.

Re: Naughty teacher?

That someone is 35, female and a teacher is good enough for you to say ok? That's a nice threshold.

Re:Naughty teacher?

[Ol+Olsoc]

You're using a computer, so you must not be worried. Feel free to post your real name, address, date of birth, mother's maiden name, first pet, city of birth and last four of your social security number here.

After all, there's nothing for you to be worried about, right?

I'm always concerned. But the intertoobz is not a secure place, and was never designed to be a secure place. I have whatever protections there are, and don't worry about it that much. Just use good care.

My point is that if a person wants to use masturbatory aids on the intertoobz, and would feel embarassed or worse if the knowledge that he or she is using those aids, they shouldn't use a service that requires personal info. It's just the same thing with people who want to do criminal acts. The intertoobz is the worst place to do that. Because even with encryption, they are drawing attention to themselves.

It's like someone using a skywriting service to send encrypted messages. The powers that be might not know what is in those messages, but they can follow the plane, find where it lands, and have anice chat with the pilot, his boss, and eventually the people who paid for the encrypted can be found.

Re:Naughty teacher?

[Ol+Olsoc]

No, it's the 35 year old female boinking her underage students.

I wish I had been one of those students.

Just remember, she can say you victimized her, https://www.thestar.com/news/w... , and http://www.dailymail.co.uk/new... , and https://nypost.com/2017/12/20/...

One of these days, and it won't be long, a female teacher will screw a little boy, and he'll be the one arrested.

Re:Naughty teacher?

[grep+-v+'.*'+*]

If you enter your genuine personal information into a porn site's data base, you're taking a silly risk.

This is of course not the same thing, but OK Cupid is now asking for first names. I've heard of people actually entering them -- that and their actual pictures have led to some users actually being located in real life.

That being said, when they asked me I entered "Nope". Now they've begun sending me emails with Dear Nope, ...

I might tell a potential date my first name during the first conversation, but i'm sure NOT telling the entire world. (That, and it's fairly unique. My first name is enough to narrow it down to easily less than 50 people, any other information and you've pegged me. That's great and all, but dating information is a two-way street.)

Why would it have data

Why would the game even have data, or connect online?

Re:Why would it have data

[GrumpySteen]

Because it's profitable to harvest customer data and sell it. Duh.

Backdoor?

The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers."

Why would such an api be in the application?

Re:Backdoor?

[jarkus4]

Most likely it uses common library with some company tools and this function comes from there. Still no authentication for such a function...

Why the fuck...

Do they have a function to download All customer data, from a customer client. Just why.

Re:Why the fuck...

Likely a bunch of fake names and burn mail addresses but why is right,when porn uses DRM i don't need porn any more.

Shocker!

[demonlapin]

Porn VR game has bad security? Who knew?

Re:Shocker!

Find out their insurance company, or ring a few and list the directors that carry enhanced 'risk'. Were legal council involved?
Now take that list and find out who live in the EU - data protection laws
Repeat for USA - any lawyers as customers?
I'm sure the directors won't mind having their personal information well published, which can be given to some wimmins social justice groups.

Example

Another example of a company(InVR Inc) not listening and believing they know best blah blah blah.

"Balky"

[Anne+Thwacks]

What does that mean? its not English, so you can't blame the spelling corrector, and bulky my be true, but is not relevant here.

Re:"Balky"

One assume's it's the American spelling of Baulky.

Re:"Balky"

What does that mean? its not English, so you can't blame the spelling corrector, and bulky my be true, but is not relevant here.

It's just an adjectival form of balk. Perfectly normal English. A balky horse is one that refuses to jump over fences as its rider intends. A balky application is one not doing what its user or designer intends.

Re:"Balky"

[hey!]

Words are like nice new wood chisels that get stored in a common work area. They don't stay sharp long because people keep misusing them.

"Balky" means "tending to refuse to respond as directed". If you have a car which often fails to start, that is a balky car. Balkiness is a tendency to a particular kind of malfunction, but the submitter here used it as a synonym for "malfunctioning".

Re:"Balky"

Yes, how old are you?

What else did you expect?

The name of the game is SinVR - did you expect ethics and/or morality?

A function named downloadallcustomers

[najajomo]

'The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers."'

Demonstration the necessity of stripping all debug information before shipping the applications - DOH!

Re:A function named downloadallcustomers

[kqs]

Demonstration the necessity of stripping all debug information before shipping the applications - DOH!

That would be step 1, sure, but the more important things would be:
    * Stop putting access functions for internal APIs in public clients.
    * Don't allow access to internal APIs from externally.
    * Don't allow access to internal APIs without proper credentials.

This is a sign of completely screwed up security and programming. I don't care if this is porn, IoT, finance, or anything else: this is a sign of many deeper problems.

Re:A function named downloadallcustomers

[mentil]

I don't care if this is porn, IoT, finance, or anything else: this is a sign of many deeper problems.

Not to worry, porn is ALL ABOUT solving 'deeper' problems.

It is english

[SuperKendall]

I've been using Balky (along with my whole family and many others I have met) in the U.S. since I was a kid. Never spelled out though, I admit it does look kind of funny (and I'm not even sure that's how it would be spelled for the U.S.).

Re:It is english

[kqs]

I've always seen it spelled baulky, not balky, though both seem to be valid spellings according to dictionaries.

Shouldn't that be...

[meglon]

Somebody has failed to deserve a spanking......