Share this @internewscast.com
Lovense, the company known for creating internet-enabled sex toys, left its users’ email information unprotected for an extended period, despite being aware of the flaw. According to a blog post highlighted by TechCrunch and Bleeping Computer, security expert BobDaHacker discovered that any username could be converted into their associated email address, potentially allowing account takeovers.
Although BobDaHacker brought this security hole to Lovense’s attention in March, the researcher claims the company delayed in resolving it and has yet to completely fix the problem. Lovense, famous for its internet-connectable and app-controlled sex toys, faced criticism in 2017 for a separate minor bug that recorded users’ intimate sessions.
In the report, BobDaHacker uncovered something unusual with the app’s API while muting users: it disclosed their email addresses. By sending a modified request to Lovense’s servers, BobDaHacker could exploit this vulnerability to retrieve a user’s email address.
BobDaHacker went further to create a script capable of turning a username into an email address almost instantly. This poses a significant risk for cam models, who publicly share their usernames but wish to keep their personal emails private. Furthermore, BobDaHacker found a way to gain control of accounts using the email address and an authentication token from Lovense.
The initial report of these security issues was made in collaboration with the Internet of Dongs, an organization working to enhance the safety of internet-connected sex toys. BobDaHacker indicates that Lovense was slow to respond, acknowledging the account takeover flaw as fixed in April, although BobDaHacker disagrees and says that solving the email leak would take 14 months.
Lovense stated that they evaluated a quicker, one-month resolution, though it would necessitate immediate upgrades from all users, causing disruption to support for older versions. BobDaHacker notes that researchers alerted Lovense to the same account takeover issue again in 2023, but the company seems to have addressed it only superficially without an effective solution.
In a statement to Bleeping Computer, Lovense says it has submitted an app update “addressing the latest vulnerabilities” to app stores. “The full update is expected to be pushed to all users within the next week,” Lovense says. “Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.” Lovense didn’t immediately respond to The Verge’s request for comment.
