The security hole was uncovered during a regular security audit

Apr 2, 2014 07:06 GMT  ·  By

Oculus VR, the virtual reality company recently acquired by Facebook for $2 billion (€1.55 billion), has identified an SQL Injection vulnerability in the Oculus Developer Center.

“As an ongoing commitment to security for our internal systems, we regularly run security audits to identify vulnerabilities. Over the weekend we discovered a vulnerability that potentially allowed for SQL injection within the Oculus Developer Center,” Oculus VR representatives wrote on the Oculus Developer Forums.

“When we discovered the vulnerability, we took down our systems as a precautionary effort and applied the required fixes,” they added.

While there’s no indication that the SQL Injection vulnerability has been exploited to gain access to the database, all Developer Center users are required to change their passwords the next time they log in to their accounts.

Only password hashes are stored in the database. It’s uncertain what type of encryption has been used, but it’s possible that the hashes could have been cracked if the company is requesting users to change them. In any case, Oculus VR representatives said they “wanted to be on the safe side.”

The company clarifies that no credit card or address information is stored in the affected database.

Oculus VR’s acquisition by Facebook has turned out to be a controversial topic. Palmer Luckey, one of the creators of the Oculus Rift virtual reality headset for 3D gaming, has revealed that he has received numerous harassment calls and even death threats.

“We expected a negative reaction from people in the short term, we did not expect to be getting so many death threats and harassing phone calls that extended to our families,” Luckey noted.

Many people are displeased with the acquisition because they believe their privacy could be impacted after Facebook starts using the virtual reality headset for social media purposes.

However, Oculus VR people have tried to calm everyone down.

“I’m not a ‘privacy is gone, get over it’ sort of person, and I fully support people that want remain unobserved, but that means disengaging from many opportunities. The idea that companies are supposed to interact with you and not pay attention has never seemed sane to me,” John Carmack, the company’s chief technology officer, noted.

In any case, it’s a good thing that the company runs security audits on a regular basis to identify vulnerabilities. It’s also a good thing that they’re transparent and publicly report their findings.