A Lovense Security Flaw May Be Letting People Take Over Accounts Without A Password

Sex artifact institution Lovense is leaking nan email addresses of its app users and allowing relationship takeovers without asking for a password, according to a information researcher. As reported by TechCrunch, BobDaHacker, who describes themself arsenic an ethical hacker committed to exposing and reporting information vulnerabilities, published an extensive report successful which they impeach Lovense of failing to hole a superior bug it was first made alert of successful 2023.

According to nan hacker (and later verified by TechCrunch), Lovense allows immoderate username to beryllium turned into their email reside pinch nan correct know-how, a flaw they initially discovered aft muting personification connected nan app. With their entree to Lovense’s API, they were capable to get nan emails associated pinch immoderate nationalist username successful little than a 2nd erstwhile moving nan modified petition process done an automated script. They noted that nan susceptible quality of these accounts is "especially bad for cam models" who usage nan Lovense level for work, and whitethorn stock their usernames for these purposes.

The interrogator besides realized that pinch a user’s email reside (either 1 you already cognize aliases 1 obtained utilizing nan aforementioned disclosure bug), they could make auth tokens that allowed them to return complete nan associated relationship without a password. This allegedly worked for nan Lovense Chrome Extension and Lovense Connect app, arsenic good arsenic nan company’s Cam101 and StreamMaster package — and moreover admin accounts.

BobDaHacker said they initially reported nan bugs to Lovense pinch assistance from nan activity tech hacking task The Internet Of Dongs successful March 2025, and received $3,000 successful full for flagging them via nan HackerOne information platform. After a bid of interactions pinch Lovense representatives, they were told successful early June that nan relationship takeover bug had been fixed during nan erstwhile month, which nan interrogator claims is not true. Regarding nan email disclosure flaw, Lovense said successful a statement printed by BobDaHacker that it could return up to 14 months to hole nan issue, arsenic a faster one-month hole would "require forcing each users to upgrade immediately," which it said would "disrupt support for bequest versions."

The interrogator went connected to opportunity that they were contacted by a Twitter personification who claimed to person recovered nan aforesaid relationship takeover bug arsenic acold backmost arsenic 2023, and were told soon aft reporting it to Lovense that nan bug had been resolved, which wasn’t nan case. They said a spot yet fixed their method, which utilized an HTTP endpoint to person a username into an email address, but that it wasn’t rolled retired until early 2025. BobDaHacker said they had requested remark from Lovense but astatine nan clip of penning had not received one.

This isn’t nan first clip Lovense users person stumbled upon privacy interest bugs. In 2017, a Redditor discovered that nan Lovense app, which allows users to power their activity toys remotely, was signaling audio without their consent and redeeming it to their phone. A commenter connected nan Reddit post, who claimed to beryllium a Lovense representative, called nan recordings a "minor package bug" that affected nan Android type of nan app and said astatine nan clip that it had been fixed successful an update.