Sex toy maker Lovense caught leaking users’ email addresses and exposing accounts to takeovers

A security researcher revealed that Lovense, a leading manufacturer of internet-connected sex toys, has not adequately addressed two critical security vulnerabilities that compromise user privacy. The researcher, known as BobDaHacker, disclosed details about these issues after Lovense announced it would take 14 months to implement necessary fixes, citing the need to avoid disrupting users of older products. With over 20 million users, Lovense made headlines earlier this year for being among the first in its industry to incorporate ChatGPT into its devices. However, the risks associated with connecting such products to the internet are significant, potentially exposing users to data breaches and account takeovers. BobDaHacker reported that the app was leaking other users' email addresses. While these addresses were not visible within the app interface, individuals utilizing network analysis tools could see them during interactions, such as when muting another user. By altering network requests linked to a logged-in account, the researcher successfully matched Lovense usernames to their respective email addresses, potentially endangering users who registered with identifiable information. This was particularly concerning for cam models who typically share their usernames publicly, as they would not want their personal emails disclosed. TechCrunch verified this vulnerability by creating a new Lovense account and allowed BobDaHacker to reveal the registered email address within a minute. The researcher noted that this process could be automated, allowing the retrieval of a user's email address in under a second. A second vulnerability enabled BobDaHacker to take over any Lovense account simply by knowing the email address linked to it, which could be obtained through the first bug. This issue permits unauthorized individuals to generate authentication tokens for accessing accounts without needing a password, effectively giving them the ability to control the account as if they were the legitimate user. This situation poses a significant threat, especially to cam models who rely on the platform for their work. BobDaHacker emphasized the severity of the issue, stating that anyone could take over any account merely by knowing the associated email address. The vulnerabilities impact all Lovense account holders or device users. BobDaHacker initially reported the issues to Lovense on March 26 through the Internet of Dongs project, which seeks to enhance security and privacy in the sex toy industry. For their efforts, the researcher received $3,000 through the HackerOne bug bounty program. However, after several weeks of discussions over whether the flaws had been resolved, BobDaHacker chose to make the information public when Lovense indicated a lengthy timeframe for fixes. According to the researcher, the vulnerabilities may have been recognized by another individual as early as September 2023 but were allegedly marked as resolved without appropriate action. Lovense has not responded to inquiries from TechCrunch regarding this situation.