Around 20,000 people have had their data exposed following a security leak at adult VR app SinVR. SinVR is a pornographic virtual-reality game offering users their own “private dungeon”.

As Security Ledger reports, tens of thousands of customer records were uncovered by UK security firm Digital Disruption, which found a high-risk vulnerability in the SinVR application. This led the ethical hackers to the names, email addresses and device names for everyone with a SinVR account, as well as anyone who paid for content using PayPal.

“Not only could an attacker use this to perform social engineering attacks, but, due to the nature of the application, it is potentially quite embarrassing to have details like this leaked,” writes Digital Disruption in a blogpost. “It is not outside the realm of possibility that some users could be blackmailed with this information.

Digital Disruption discovered the vulnerability as part of a survey of adult websites. The team reverse engineered the SinVR desktop app, and came across the inconspicuously named function “downloadallcustomers”.

The function couldn’t be enabled from the application itself, but by looking at how the web API worked, the researchers triggered it manually. After being frustrated in their attempts to contact the parent company of SinVR, InVR Inc, the researchers took the step to go public with their findings – which they did last week, although not without censoring personal details in their screenshots. Read more from…

thumbnail courtesy of