A security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email addresses of its users and allow the takeover of any user’s account.
The researcher, who goes by the handle BobDaHacker, published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy products.
Lovense is one of the largest makers of internet-connected sex toys and is said to have more than 20 million users. The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products.
But the inherent security risks in connecting sex toys to the internet can put users at risk of real-world harm if something goes wrong, including device lock-ins and data privacy leaks.
BobDaHacker said they discovered that Lovense was leaking people’s email addresses while using the app. Although other users’ email addresses were not visible to users in the app, anyone using a network analysis tool to inspect the data flowing in and out of the app would see the other user’s email address when interacting with them, such as muting them.
By modifying the network request from a logged-in account, BobDaHacker said they could associate any Lovense username with their registered email address, potentially exposing any customer who has signed up to Lovense with an identifiable email address.
“This was especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker wrote in their blog post.
TechCrunch verified this bug by creating a new account on Lovense and asking BobDaHacker to reveal our registered email address, which they did in about a minute. By automating the process with a computer script, the researcher said they could obtain a user’s email address in less than a second.
BobDaHacker said a second vulnerability allowed them to take over any Lovense user’s account using just their email address, which could be derived from the earlier bug. This bug lets anyone create authentication tokens for accessing a Lovense account without needing a password, allowing an attacker to remotely control the account as if they were the real user.
“Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,” said BobDaHacker.
The bugs affect anyone with a Lovense account or device.
BobDaHacker disclosed the bugs to Lovense on March 26 via the Internet of Dongs, a project that aims to improve the security and privacy of sex toys and helps report and disclose flaws to device makers.
According to BobDaHacker, they were awarded a total of $3,000 via bug bounty site HackerOne. But after several weeks of back-and-forth disputing whether the bugs were actually fixed, the researcher went public this week after Lovense requested 14 months to fix the flaws. (Security researchers typically grant vendors three months or less to fix a security bug before going public with their findings.) The company told BobDaHacker in the same email that it decided against a “faster, one-month fix,” which would have required forcing customers using older products to upgrade their apps immediately.
The researcher notified the company ahead of disclosure, per an email seen by TechCrunch. BobDaHacker said in a blog post update on Tuesday that the bug may have been identified by another researcher as far back as September 2023, but the bug was allegedly closed without a fix.
Lovense did not respond to an email from TechCrunch sent prior to publication. After we published, a Lovense representative said the account takeover bug “has now been fully addressed” and that the email disclosure bug will be patched in an update expected to be “pushed to all users within the next week.” The representative would not commit to publicly notifying its customers about the bugs.
Updated with comment from Lovense.
