Sex toy maker Lovense caught leaking users’ email addresses and exposing accounts to takeovers
A significant security vulnerability has been uncovered in Lovense, a leading manufacturer of internet-connected sex toys, revealing that the company has failed to fully address critical flaws. These vulnerabilities reportedly expose users’ private email addresses and allow for complete account takeovers, posing substantial privacy and security risks.
The security researcher, known as BobDaHacker, publicly detailed these security shortcomings on Monday after Lovense allegedly stated they would require 14 months to implement a full fix. This extended timeline was reportedly to avoid inconveniencing users of legacy products, a decision that has raised serious concerns within the cybersecurity community, which typically allows vendors three months or less for remediation before public disclosure.
Lovense, recognized as one of the largest players in the connected sex toy market with over 20 million users, garnered attention in 2023 for its integration of ChatGPT into its products. However, the inherent security risks associated with internet-connected devices, particularly those handling highly sensitive personal data, underscore the potential for severe real-world harm, including device lock-ins and significant data privacy breaches, as seen in previous incidents involving smart chastity cages.
BobDaHacker initially discovered that Lovense was inadvertently leaking email addresses of other users within the app. While not visible directly to users, a simple network analysis tool could intercept these email addresses during interactions, such as muting another user. Further investigation revealed that by modifying network requests, any Lovense username could be associated with its registered email address, potentially exposing countless users who signed up with identifiable email accounts. “This was especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker stated in their blog.
The severity escalated with the discovery of a second vulnerability, allowing an attacker to take over any Lovense user’s account using only their email address, which could be derived from the first flaw. This bug enables the creation of authentication tokens without a password, granting remote control over the account. BobDaHacker emphasized the critical impact: “Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address.”
These critical bugs affect all Lovense account holders and device users.
The vulnerabilities were initially disclosed to Lovense on March 26 through the Internet of Dongs, a project dedicated to enhancing the security and privacy of sex toys and facilitating responsible disclosure to manufacturers. BobDaHacker confirmed receiving $3,000 via bug bounty site HackerOne. However, public disclosure became necessary after weeks of disputing the fix status and Lovense’s proposed 14-month remediation period, which included rejecting a faster, one-month solution that would have required older product users to update immediately.
It was also revealed that the bug might have been identified by another researcher as early as September 2023, but was reportedly closed without a fix. Following the publication of this report, a Lovense representative stated that the account takeover bug has now been fully addressed, and the email disclosure bug is expected to be patched in an update pushed to all users within the next week. The company did not commit to publicly notifying its customers about these incidents.
