Adult Themed VR Game Leaks Data On Thousands (securityledger.com) 41
chicksdaddy writes from The Security Ledger: Somebody deserves a spanking after personal information on thousands of users of an adult virtual reality game were exposed to security researchers in the UK by a balky application. Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application -- a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.
SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on. The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers." That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.
SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on. The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers." That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.
Naughty teacher? (Score:3)
Re: (Score:3)
The rather obligatory teaching theme ought to be:
If you enter your genuine personal information into a porn site's data base, you're taking a silly risk.
Re: (Score:2)
The rather obligatory teaching theme ought to be:
If you enter your genuine personal information into a porn site's data base, you're taking a silly risk.
Depends on whether you are worried about it or not, I guess. If a person is concerned about their data leaking out, they should never use computers at all..
Re: (Score:3)
You're using a computer, so you must not be worried. Feel free to post your real name, address, date of birth, mother's maiden name, first pet, city of birth and last four of your social security number here.
After all, there's nothing for you to be worried about, right?
I'm always concerned. But the intertoobz is not a secure place, and was never designed to be a secure place. I have whatever protections there are, and don't worry about it that much. Just use good care.
My point is that if a person wants to use masturbatory aids on the intertoobz, and would feel embarassed or worse if the knowledge that he or she is using those aids, they shouldn't use a service that requires personal info. It's just the same thing with people who want to do criminal acts. The intertoob
Re: (Score:1)
If you enter your genuine personal information into a porn site's data base, you're taking a silly risk.
This is of course not the same thing, but OK Cupid is now asking for first names. I've heard of people actually entering them -- that and their actual pictures have led to some users actually being located in real life.
...
That being said, when they asked me I entered "Nope". Now they've begun sending me emails with Dear Nope,
I might tell a potential date my first name during the first conversation, but i'm sure NOT telling the entire world. (That, and it's fairly unique. My first name is enough to
Re: (Score:3)
Is the naughty teacher theme the one where they teach Evolution?
No, it's the 35 year old female boinking her underage students.
Re: (Score:2)
I wish I had been one of those students.
Just remember, she can say you victimized her, https://www.thestar.com/news/w... [thestar.com] , and http://www.dailymail.co.uk/new... [dailymail.co.uk] , and https://nypost.com/2017/12/20/... [nypost.com]
One of these days, and it won't be long, a female teacher will screw a little boy, and he'll be the one arrested.
Re: (Score:3)
Because it's profitable to harvest customer data and sell it. Duh.
Re: (Score:2)
Most likely it uses common library with some company tools and this function comes from there. Still no authentication for such a function...
Shocker! (Score:3)
"Balky" (Score:1)
Re: (Score:2)
Words are like nice new wood chisels that get stored in a common work area. They don't stay sharp long because people keep misusing them.
"Balky" means "tending to refuse to respond as directed". If you have a car which often fails to start, that is a balky car. Balkiness is a tendency to a particular kind of malfunction, but the submitter here used it as a synonym for "malfunctioning".
It is english (Score:2)
I've been using Balky (along with my whole family and many others I have met) in the U.S. since I was a kid. Never spelled out though, I admit it does look kind of funny (and I'm not even sure that's how it would be spelled for the U.S.).
Re: (Score:2)
I've always seen it spelled baulky, not balky, though both seem to be valid spellings according to dictionaries.
A function named downloadallcustomers (Score:2)
Demonstration the necessity of stripping all debug information before shipping the applications - DOH!
Re: (Score:2)
Demonstration the necessity of stripping all debug information before shipping the applications - DOH!
That would be step 1, sure, but the more important things would be:
* Stop putting access functions for internal APIs in public clients.
* Don't allow access to internal APIs from externally.
* Don't allow access to internal APIs without proper credentials.
This is a sign of completely screwed up security and programming. I don't care if this is porn, IoT, finance, or anything else: this is a sign of many deeper problems.
Re: (Score:2)
I don't care if this is porn, IoT, finance, or anything else: this is a sign of many deeper problems.
Not to worry, porn is ALL ABOUT solving 'deeper' problems.
Shouldn't that be... (Score:2)