Sex toy maker Lovense leaked the user’s email address and published its account for acquisition

Security researchers say sex toy maker Lovense has failed to completely fix two security flaws that publish the user’s private email address and allow the user to acquire the user’s account.

Researcher going with handle bobda hacker, Monday’s bug released details After Lovense claimed it would take 14 months to fix the defect so that some users of its legacy product do not become inconvenient.

Lovense is one of the biggest manufacturers of internet-connected adult toys and is said to have Over 20 million users. The company made headlines in 2023 to become one of its first adult toy makers. Integrate ChatGpt into your product.

However, the inherent security risks when connecting sex toys to the internet can be exposed to the risk of actual harm if something goes wrong with the user. Device lock-in and Data Privacy Leak.

Bobdahacker said he discovered that Lovense was leaking someone else’s email address while using the app. Although other users’ email addresses were not visible to users of the app, anyone who uses a network analysis tool to inspect the data flowing through the app will see the other users’ email addresses when they interact with them.

By modifying a network request from a logged in account, Bobdahacker says that he can associate his Lovense username with a registered email address, potentially revealing customers who have signed up for Lovense with an identifiable email address.

“This was particularly bad for CAM models who publish their usernames but obviously don’t want to publish personal emails,” Bobdahacker wrote in a blog post.

TechCrunch confirmed this bug by creating a new account about Lovense and asking Bobdahacker to reveal the email address they registered. By automating the process with computer scripts, researchers said they can get the user’s email address within a second.

Bobdahacker said the second vulnerability allows the account of a Lovense user to be taken over using only email addresses that could derive from previous bugs. This bug allows anyone to create an authentication token to access their Lovense account without the need for a password, allowing the attacker to remotely control the account as if he were a real user.

“This was a big deal because the CAM model uses these tools for work. Literally, anyone can take over your account just by knowing their email address,” Bobdahacker said.

Bugs affect people with Lavense accounts or devices.

Bobdahacker disclosed the bug to Lovense on March 26th. Don’s Internetimproving the security and privacy of adult toys, Report and disclose defects to device manufacturers.

According to Bobdahacker they were awarded a total of $3,000 via the Bug Bounty site Hackerone. However, after several weeks of objectioning whether the bug was actually fixed, researchers were published this week after Lovense requested 14 months to fix the defect. (Security researchers usually grant vendors within three months to fix security bugs before publishing their findings.) The company told Bobdahacker in the same email that they opposed “fastest month fixes.”

The researchers notified the company prior to disclosure according to emails seen by TechCrunch. Bobdahacker said in an update to his blog post on Tuesday that the bug may have been identified by another researcher until September 2023, but the bug is said to have been closed without any fixes.

Lovense did not respond to emails from TechCrunch.

Flash News

Oppenheimer lifts S&P End of Year 500 target to Wall Street High with trade optimism

Space Force bets on commercial participants in the $4 billion SATCOM contest

Analysis of the new 154 pound ranking for the ring: top picks with surprises, oddities, flaws

Trump says India is facing 20%-25% trade tariffs

TEA App Data Breaches: What We Know About Class Action Lawsuits

NFL’s Roger Goodell tells NYC employees to work from home after filming