Lovense was told its sex toy app leaked users’ emails and didn’t fix it
Lovense, the manufacturer of sex toys connected to the Internet, left e -mails of the users exposed for months – even after having read the vulnerability. In a blog article spotted by Techcrunch And BIP computerThe security researcher Bobdahacker noted that they could “transform any username into their email address”, which they could then use to take up someone’s account.
Although Bobdahacker initially disclosed this vulnerability to Lovense in March, the researcher says that Lovense waited for months before repairing it and has still not solved the problem. Lovense is the source of a range of sex toys that users can connect to the Internet and control remotely via its application, which was criticized for a “minor bug” in 2017 which recorded user sexual sessions.
As indicated in the publication of Bobdahacker, the security researcher noticed something strange in the response of the application API when someone’s slaughter: he presented his email address. Bobdahacker then understood that they could take advantage of this vulnerability by sending a modified request to the Lovense servers, doing so to return the e-mail address of the target user.
Bobdahacker has even developed a script which, according to them, can convert someone’s username to an e-mail address in less than a second. “This is particularly bad for CAM models that share their usernames publicly but obviously do not want their personal emails to be exposed,” writes Bobdahacker. To make matters worse, Bobdahacker later discovered that he could take over a user with his email address and an authentication token generated by Lovense.
Bobdahacker initially pointed out these vulnerabilities in partnership with Internet of Dongs, a group that aims to make sex toys connected to the internet more secure. However, the security researcher says that Lovense did not immediately solve the problem. Instead, Lovense said that the account buyback bug had been corrected in April, even if Bobdahacker said it was not the case, and a correction for the problem of e-mail leak would take 14 months to take place.
“We have also evaluated a faster and one month’s correction. However, this would require all users to upgrade immediately, which would disturb the support of the inherited versions,” said Lovense, according to Bobdahacker. As Bobdahacker noted, the security researchers reported the same account buyback bug in Lovense in 2023, but the company seems to have closed the bug without repairing it.
In a declaration at BIP computerLovense says he has submitted an application to “approach the latest vulnerabilities” to application stores. “The full update should be pushed to all users in next week,” said Lovense. “Once all users have updated the new version and we deactivate the old versions, this problem will be completely solved.” Lovense immediately did not respond to The penisComment request.
