Major ‘sex toy leak’ reveals shoppers who bought them and even ‘personal emails’ as company scrambles to fix bug

Buyers have made their cheeky purchases disclose, and perhaps their hacked accounts, after the violation of a popular sex toys application.

Lovense, which makes sex toys connected to the Internet, would have left user emails exposed for months without repairing the lack of cybersecurity.

2

2

In a blog post, the security researcher Bobdahacker writes that he discovered a defect that allowed anyone to “transform any username into his email address”, which could then be used to use someone’s account.

Everything you needed to exhibit someone’s email address, according to the researcher, was to deactivate someone’s account.

Bobdahacker told Lovense the vulnerability in March.

However, they claim that the company waited for months before repairing it and has still not entirely discussed the problem.

The Lovense platform is connected to the company’s sexual products, which can be checked from afar via the application.

The application is also used to “find thrill seekers with similar views”, depending on the company, and fell under fire in 2017 for a “minor bug” which Sessions of registered users.

Bobdahacker says they have developed a script that can convert someone’s username to an e-mail address in less than a second.

“This is particularly bad for CAM models that share their usernames publicly but obviously do not want their personal emails to be exposed,” writes Bobdahacker in their article.

The email address of a user, combined with an authentication token generated by Lovense and captured by a pirate, is sufficient to use a user’s account.

The account buyback bug was corrected in April, according to Lovense.

Although Bobdahacker challenges this, and says that a solution for the problem of the e-mail leak would take 14 months to deploy.

“We have also evaluated a faster and one month solution,” said Lovense, according to Bobdahacker.

“However, this would require to force all users to upgrade immediately, which would disrupt the support for the inherited versions.”

Other security researchers reported the same account buyback bug in Lovense in 2023, according to Bobdahacker.

But the rod noted that the company seems to have closed the bug without repairing it.

In a statement to Bleeping Computer, Lovense indicates that he has submitted an application update “approaching the latest vulnerabilities” to application stores.

“The full update should be pushed to all users in next week,” said Lovense.

“Once all users have updated the new version and we deactivate the old versions, this problem will be completely solved.”

The sun has contacted Lovense to comment.