ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Details about two vulnerabilities in an adult-themed virtual reality (VR) application were available to the general public for five days before the vendor intervened and patched the security holes.
Research published by Digital Interruption, a UK-based cyber-security company, revealed that
nVR, a web-based service selling adult-themed VR applications, contained two vulnerabilities that would have allowed an attacker to download names, email addresses and device (PC) names for everyone with an account on the site or for people who purchased content using PayPal accounts.
Researchers go public after vendor didn’t reply
“Initially we planned on releasing this post after the vulnerabilities were fixed, however after several attempts we were not able to contact the company behind SinVR,” a Digital Interruption researcher said in a January 10 blog post.
“We tried emailing the addresses we could find, sending private messages to their (active) reddit account and reaching out via Twitter,” he added. “Due to the nature of the issues found, we made the tough decision of bringing one of the issues to the attention of the public in order to warn users their data was not being protected adequatly. [sic]”
While researchers didn’t publish proof-of-concept code, they did share redacted screenshots that an astute attacker could understand how to exploit to his advantage.
Security holes patched five days after public disclosure
Five days after public disclosure and after a few stories started hitting some larger news outlets, SinVR patched its service.
While data breaches at financial institutions usually have purely financial repercussions, data leaks from adult websites have more far-reaching consequences.
For example, after a 2015 breach at dating site Ashley Madison, a Louisiana pastor took his life when he was ousted as having an account on the site.
Digital Interruption researchers say the type of information leaked by SinVR has the potential of being “quite embarrassing” and is “not outside the realm of possibility that some users could be blackmailed.”
Bleeping Computer has reached out to SinVR and formally inquired the company if it detected anyone employing the vulnerabilities reported by Digital Interruption to harvest customer data off its site.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.