LOS ANGELES – In crafting virtual reality entertainment, whether for a porn or non-porn context, my assumption is developers focus primarily on creating a great user experience. Does the environment and narrative engage the user? Does it feel truly immersive, or can more be done make the user feel like a part of the story, a resident of the virtual world in which they find themselves, once they’ve donned their headset?
This focus on creative elements is both appropriate and understandable. After all, if you don’t create something which meets the user’s expectations for virtual reality, you’ve likely lost them, or at least diminished their enthusiasm for future VR projects associated with your brand.
A recent adult VR news item underlines the fact developers also need to be cognizant of other, more mundane facets of delivering good VR experience, as well, especially if your adult VR platform collects potentially sensitive personally identifying information (“PII”) from the customers who use it.
In a blog post published last week, researcher Jahmel Harris of the Manchester, UK-based consultancy Digital Interruption reported on a high-risk vulnerability in a SinVR app, a flaw which “leaked customer information,” including “quite a lot of PII.”
“(N)ot only could an attacker use this to perform social engineering attacks, but due to the nature of the application it is potentially quite embarrassing to have details like this leaked,” Harris wrote about the risks presented by the vulnerability. “It is not outside the realm of possibility that some users could be blackmailed with this information.”
Contacted by YNOT for more information on the vulnerability and what caused it, Harris declined to get too specific about the issues, saying he couldn’t “go into too many details about the other vulnerabilities without giving SinVR a chance to fix them.”
“The reason we disclosed the one we did is because it related to customer details and the vulnerability was fairly easy to exploit,” Harris told YNOT.
Without delving into potentially damaging specifics, Harris indicated the biggest problem boiled down to defects in the app’s client-side validation.
“There was one interesting (vulnerability) where we were able to bypass a security control because the application itself verified the action,” Harris said. “By patching the app (or changing the data) we were able to change the logic of the app so a specific check passed as true.”
Harris said his research also revealed a “lack of thought about the security of API.”
“We saw a things thing we wouldn’t have expected from a well-tested API,” Harris said, “which ultimately lead to us access customer data.”
Finally, in a general sense, Harris said the SinVR app’s “authentication could be improved.”
“Again, I can’t go into details,” Harris said, “but that is an area I noticed could have been done better.”
If this all sounds basic and fundamental where security is concerned, it’s because it is. If you seek out information on security best practices for apps, whether the apps in question are VR, web-based or mobile apps, you’ll inevitably read advice under headings like “Improve user authentication” or “encrypt everything” or “Find and Analyze Your App Vulnerabilities.”
Once SinVR has fully addressed the app’s vulnerabilities, Harris may write a follow-up post addressing some of the details he doesn’t yet feel comfortable with discussing publicly. If/when he does, there may be more developers can learn from the exposing of the SinVR vulnerability. Either way, this situation is a good reminder to developers that when it comes to securing apps, it pays to mind the security best practice basics – and to rigorously and thoroughly test your products before taking them to market.
