British cybersecurity firm Digital Interruption recently uncovered a loophole in a SinVR app that left 20,000 users’ personal data, including user names and email addresses, vulnerable.

SinVR is a VR game space that lets users explore various adult-themed environments and interact with virtual characters. It works with most major VR headsets including the HTC Vive and Oculus Rift.

Per a Digital Interruption blog post dated Jan. 9 2018, “pulling robots apart and killing zombies does eventually get boring so [we] decided to see what else could be done in Virtual Reality.” After reading multiple recommendations from around the internet to check out SinVR, Digital Interruption decided to “pull apart” their app, which is how they discovered the security issue.

“[W]e found a high risk vulnerability in the SinVR application that leaked customer information and several deviations from security best practice. Initially we planned on releasing this post after the vulnerabilities were fixed, however after several attempts we were not able to contact the company behind SinVR. We tried emailing the addresses we could find, sending private messages to their (active) reddit account and reaching out via Twitter,” Digital Interruption wrote.

“Due to the nature of the issues found, we made the tough decision of bringing one of the issues to the attention of the public in order to warn users their data was not being protected adequately,” the organization added.

According to coverage from the BBC (Jan. 16 2018), SinVR’s app security flaw has now been fixed.

SinVR thanked Digital Interruption for highlighting the issue and promised to improve security. “Altogether, it has been a tremendous learning experience,” the BBC reported

“Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system.”

In addition to this being a very important lesson regarding app security, this incident between Digital Interruption and SinVR underscores another very important “flaw” often found in correspondence – answer your damn emails, or else you might end up on the BBC.

Looks like @sinvrxxx has fixed the vulnerability we raised that exposed thousands of user details. Thanks to @troyhunt and @securityledger for helping us get the word out.

If they'd like to get in touch with us, we'd like to share details about some other vulns we found.

— Digital Interruption (@DI_Security) January 14, 2018