Lovense, a company known for its internet-connected sex toys, has come under scrutiny for failing to address a significant security flaw that exposed user emails for several months. A security researcher, known as BobDaHacker, discovered that the company’s app allowed anyone to convert usernames into email addresses, potentially leading to account takeovers.
In a blog post highlighted by TechCrunch and Bleeping Computer, BobDaHacker reported that the vulnerability was originally disclosed to Lovense in March 2023. Despite this, the company reportedly delayed fixing the issue, leading to ongoing concerns about user privacy and security.
The vulnerability was identified when BobDaHacker noticed an unusual response from the app’s API while attempting to mute users. This response inadvertently revealed users’ email addresses. By sending modified requests to Lovense’s servers, the researcher was able to exploit this flaw, creating a script capable of retrieving email addresses from usernames in under a second.
“This is especially problematic for cam models who share their usernames publicly but do not want their personal emails exposed,” BobDaHacker noted in his post. The researcher further indicated that with an email address and an authentication token generated by Lovense, it was possible to take over a user’s account.
Initially, BobDaHacker collaborated with the Internet of Dongs, a group focused on enhancing the security of internet-connected sex toys, to report these vulnerabilities. Yet, despite assurances from Lovense that the account takeover issue was fixed in April, BobDaHacker claimed the problem persisted. Lovense stated that a resolution for the email leak would take up to 14 months to implement but acknowledged that a faster fix could disrupt support for older versions of the app.
Security researchers had previously reported similar vulnerabilities to Lovense in 2023, but the company appeared to close the bug report without making necessary corrections.
In response to these allegations, Lovense issued a statement to Bleeping Computer, asserting that an app update addressing the latest vulnerabilities had been submitted to app stores. “The full update is expected to be pushed to all users within the next week,” the company said. “Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.”
Despite Lovense’s assurances, the delay in addressing such critical vulnerabilities raises questions about the company’s commitment to user privacy and security. As the rollout of the updates progresses, many users remain vigilant regarding the protection of their personal information in an increasingly connected world.