Sex Toy Maker Lovense Caught Leaking Users’ Email Addresses And Exposing Accounts To Takeovers

A information interrogator says activity artifact shaper Lovense has grounded to afloat hole 2 information flaws that expose nan backstage email reside of its users and let nan takeover of immoderate user’s account.

The researcher, who goes by nan grip BobDaHacker, published specifications of nan bugs connected Monday aft Lovense claimed it would request 14 months to hole nan flaws truthful arsenic to not inconvenience users of immoderate of its bequest products.

Lovense is 1 of nan largest makers of internet-connected activity toys, and is said to person more than 20 cardinal users. The institution made headlines successful 2023 for becoming 1 of nan first activity artifact makers to merge ChatGPT into its products. 

But nan inherent information risks successful connecting activity toys to nan net tin put users astatine consequence of real-world harm if thing goes wrong, including device lock-ins and data privateness leaks.

BobDaHacker said they discovered that Lovense was leaking different people’s email addresses while utilizing nan app. Although different users’ email addresses were not visible to users successful nan app, anyone utilizing a web study instrumentality to inspect nan information flowing successful and retired of nan app would spot nan different user’s email reside erstwhile interacting pinch them, specified arsenic muting them. 

By modifying nan web petition from a logged-in account, BobDaHacker said they could subordinate immoderate Lovense username pinch their registered email address, perchance exposing immoderate customer who has signed up to Lovense pinch an identifiable email address.

“This was particularly bad for cam models who stock their usernames publically but evidently don’t want their individual emails exposed,” BobDaHacker wrote successful their blog post.

TechCrunch verified this bug by creating a caller relationship connected Lovense and asking BobDaHacker to uncover our registered email address, which they did successful astir a minute. By automating nan process pinch a machine script, nan interrogator said they could get a user’s email reside successful little than a second.

BobDaHacker said a 2nd vulnerability allowed them to return complete immoderate Lovense user’s relationship utilizing conscionable their email address, which could beryllium derived from nan earlier bug. This bug lets anyone create authentication tokens for accessing a Lovense relationship without needing a password, allowing an attacker to remotely power nan relationship arsenic if they were nan existent user. 

“Cam models usage these devices for work, truthful this was a immense deal. Literally anyone could return complete immoderate relationship conscionable by knowing nan email address,” said BobDaHacker. 

The bugs impact anyone pinch a Lovense relationship aliases device.

BobDaHacker disclosed nan bugs to Lovense connected March 26 via nan Internet of Dongs, a task that intends to amended nan information and privateness of activity toys, and helps report and disclose flaws to instrumentality makers. 

According to BobDaHacker, they were awarded a full of $3,000 via bug bounty tract HackerOne. But aft respective weeks of backmost and distant disputing whether nan bugs were really fixed, nan interrogator went nationalist this week aft Lovense requested 14 months to hole nan flaws. The institution told BobDaHacker successful nan aforesaid email that it decided against a “faster, one-month fix,” which would person required forcing customers utilizing older products to upgrade their apps immediately.

The interrogator notified nan institution up of disclosure, per an email seen by TechCrunch. BobDaHacker said successful a blog station update connected Tuesday that nan bug whitethorn person been identified by different interrogator arsenic acold backmost arsenic September 2023, but nan bug was allegedly closed without a fix. 

Lovense did not respond to an email from TechCrunch.