A cybersecurity researcher has identified critical vulnerabilities in an app developed by sex toy manufacturer Lovense that not only exposed the private email addresses of users but also enabled threat actors to hijack a user’s account on the platform.
The anonymous researcher published their findings about the two in-app security flaws on Monday, July 28, using the handle BobDaHacker. Anyone who has created an account on the Lovense app may have been potentially affected due to the two bugs.
“We could have easily harvested emails from any public username list. This was especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker wrote in their blog post. “Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,” they added.
Lovense is considered to be one of the largest brands that sell IoT-based sex toys. It has over 20 million users. In 2023, the Singapore-headquartered company announced it was the first to integrate OpenAI’s ChatGPT into its products, according to a report by TechCrunch.
The recently discovered security vulnerabilities underscore the risks that come with using IoT-based sex toys, including privacy violations and device lock-ins. It comes less than a week after Tea, an app that lets women anonymously comment and review dates with men, said it suffered a data breach, with hackers gaining access to 72,000 user images.
How has Lovense responded?
BobDaHacker, the researcher, said that they first brought the security flaws to Lovense’s notice on March 26 this year and won a $3,000 reward through a bug bounty programme.
The researcher said that he decided to publish their findings in the public domain after Lovense reportedly requested 14 months to fix the flaws as they did not want to force customers using older models of sex toys to update their apps immediately.
Story continues below this ad
“The email disclosure vulnerability was surprisingly straightforward once you understood the flow […] The whole process took maybe 30 seconds per username manually, with the script we made though to automate it, it took less than 1 second for a username to be converted to an email,” BobDaHacker wrote.
The company has since said that it has fully addressed the account takeover bug. Lovense is further expected to roll out a software patch for the email disclosure bug in an update that will be “pushed to all users within the next week”, as per TechCrunch.
