It’s yet another data leak. This time, it may leave some customers red-faced as an adult VR game is found to be leaking personal information.
It may be comparatively small, but the potential embarrassment could be pretty big. Security researchers in the UK have uncovered a function in the game SinVR. The function permits users to download every customer in the database along with other pieces of personal information. This includes names and e-mail addresses. From Security Ledger:
Researchers at Digital Interruption, a penetration testing firm based in Birmingham, UK, made a survey of various adult themed applications and decided that the SinVR application looked like the most fruitful ground to explore. The group discovered the hole after reverse-engineering the SinVR desktop application and noticing a function named “downloadallcustomers“. That function called a web service that downloaded thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.
The function was not accessible from the SinVR application, but by studying how the SinVR web API (application program interface) worked, Harris was able to trigger it manually. And, because no authentication is required, it would be possible for any SinVR user to download all customer records, Harris said.
He said the application, which relied on a Microsoft .NET library, was simple to reverse engineer and analyze. However, contacting the firm has proven challenging. More than one effort to reach out to the parent company, InVR Inc. have fallen flat, including messages sent by email, Twitter and on Reddit forums where the company is active.
Multiple efforts by The Security Ledger to contact inVR Inc. were also not returned.
(via /.)
The news follows the much more explosive Aadhaar data breach which saw 1 billion people from India exposed to anyone willing to pay 500 rupees (about $9.80 Canadian) earlier this month. Last year, there were a number of other leaks and breaches including the 300,000 accounts exposed in an Ancestry.com data leak, the 123 million Americans exposed in the Alteryx data leak and the 143 million exposed in the Equifax data breach.
While this data leak is comparatively smaller, it does show that seemingly careless coding does still happen. Why leave a function like this in the game in the first place where any hacker could potentially find something like this. The good news is that it seems that a white hat hacker got to this vulnerability first.
So far, we aren’t aware of any misuse of the personal information exposed in this leak.
Drew Wilson on Twitter: @icecube85 and Google+.