Details about two vulnerabilities in an adult-themed virtual reality (VR) application were available to the general public for five days before the vendor intervened and patched the security holes.
Research published by Digital Interruption, a UK-based cyber-security company, revealed that
nVR, a web-based service selling adult-themed VR applications, contained two vulnerabilities that would have allowed an attacker to download names, email addresses and device (PC) names for everyone with an account on the site or for people who purchased content using PayPal accounts.
"Initially we planned on releasing this post after the vulnerabilities were fixed, however after several attempts we were not able to contact the company behind SinVR," a Digital Interruption researcher said in a January 10 blog post.
"We tried emailing the addresses we could find, sending private messages to their (active) reddit account and reaching out via Twitter," he added. "Due to the nature of the issues found, we made the tough decision of bringing one of the issues to the attention of the public in order to warn users their data was not being protected adequatly. [sic]"
While researchers didn't publish proof-of-concept code, they did share redacted screenshots that an astute attacker could understand how to exploit to his advantage.
Five days after public disclosure and after a few stories started hitting some larger news outlets, SinVR patched its service.
While data breaches at financial institutions usually have purely financial repercussions, data leaks from adult websites have more far-reaching consequences.
For example, after a 2015 breach at dating site Ashley Madison, a Louisiana pastor took his life when he was ousted as having an account on the site.
Digital Interruption researchers say the type of information leaked by SinVR has the potential of being "quite embarrassing" and is "not outside the realm of possibility that some users could be blackmailed."
Bleeping Computer has reached out to SinVR and formally inquired the company if it detected anyone employing the vulnerabilities reported by Digital Interruption to harvest customer data off its site.
UPDATE: A SinVR spokesperson has provided the following statement regarding the incident:
Digital Interruption gave us ample warning before posting their finding and we fixed the issue as soon as it was revealed to us. We are in contact with them and they confirmed that the outlined security hole was closed. We have not detected any evidence that the flaw was used to harvest data on our customers. Altogether, it has been a tremendous learning experience, which will serve to enhance our security and we are glad that it was conducted ethically. Moving forward, we are confident in our ability to prevent security holes and will keep using a professional security service to audit our system. We are making sure that all ‘back door’ intrusions are fully consensual.