Plugging a virtual leak: insecure VR app exposes customer data

Plugging a virtual leak: insecure VR app exposes customer data

I’ve been giving talks on the possible problems raised by virtual/augmented/mixed reality for a while now, and sure enough, we have what may be one of the first potentially major security issues thrown up by an in-the-wild application. Until a recent fix was applied, users of the pornography app SinVR could have found their subscriber information up for grabs.

Researchers over at Digital Interruption discovered names, email addresses, and device names for anyone with an account alongside those paying for content using PayPal. This information would be great for social engineering, fake SinVR emails, or just plain old blackmail/embarrassment antics should any attacker be so inclined.

They figured this out because while reversing the app, they realised they could make unauthenticated calls to endpoints, thanks to a function which looked as though it allowed SinVR to download a list of all users. Though they would have had to modify the binary to do this via the app, their web API meant it wasn’t necessary thanks to the previously mentioned endpoints.

If we cast our minds back to around the time of the SONY hack, games companies became popular targets, with company hacks, compromised databases, tampered game servers, and all sorts of other shenanigans. At the time, it was clear that many organisations weren’t doing as much as they could for security stakes; although now you don’t see quite as many game developers being compromised in such fashion these days.

VR, however, is a brave new world, and there are many new companies who may be in a similar place more traditional games firms were in a few years ago. While my primary interest in VR is seeing how in-game features can be affected, especially with the slow rise of VR ad networks, it’s clear that customer data—or just reversing the apps themselves—is also going to be a big deal.

The barrier to entry for VR development is lowering all the time, with reasonably priced “DIY” kits available online which allow anyone to start coding games. How many of those bedroom coders, who will no doubt release many of these projects with a price tag attached, will understand the complexities of securing both their games and their databases?

This is sadly likely to be the first of many such accidental VR data reveals. The only good news for the developer is that responsible individuals were the first to catch wind of this particular error, rather than someone up to no good. Of course, we’re only hoping they were the first. Realistically, we have no way of knowing if someone with mischief in mind has already figured it out.

Talk about a virtual catastrophe.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.