Lovense Was Told Its Sex Toy App Leaked Users’ Emails And Didn’t Fix It

Lovense, nan shaper of internet-connected activity toys, near personification emails exposed for months — moreover aft it became alert of nan vulnerability. In a blog post spotted by TechCrunch and Bleeping Computer, information interrogator BobDaHacker recovered that they could “turn immoderate username into their email address,” which they could past usage to return complete someone’s account.

Though BobDaHacker initially disclosed this vulnerability to Lovense successful March, nan interrogator claims Lovense waited months earlier fixing it, and still hasn’t afloat addressed nan issue. Lovense is down a scope of activity toys that users tin link to nan net and remotely power via its app, which came nether occurrence for a “minor bug” successful 2017 that recorded users’ activity sessions.

As outlined successful BobDaHacker’s post, nan information interrogator noticed thing unusual successful nan app’s API consequence erstwhile muting someone: it presented their email address. BobDaHacker past figured retired that they could return advantage of this vulnerability by sending a modified petition to Lovense’s servers, tricking it into returning nan target user’s email address. 

BobDaHacker moreover developed a book that they opportunity tin person someone’s username into an email reside successful little than a second. “This is particularly bad for cam models who stock their usernames publically but evidently don’t want their individual emails exposed,” BobDaHacker writes. To make matters worse, BobDaHacker later discovered that they could return complete a user’s relationship pinch their email reside and an authentication token generated by Lovense. 

BobDaHacker initially reported these vulnerabilities successful business pinch nan Internet of Dongs, a group that intends to make internet-connected activity toys much secure. However, nan information interrogator says Lovense didn’t instantly hole nan issue. Instead, Lovense claimed that nan relationship takeover bug was fixed successful April, moreover though BobDaHacker said it wasn’t, and that a hole for nan email leak rumor would return 14 months to rotation out.

“We besides evaluated a faster, one-month fix. However, it would require forcing each users to upgrade immediately, which would disrupt support for bequest versions,” Lovense said, according to BobDaHacker. As noted by BobDaHacker, information researchers reported nan aforesaid relationship takeover bug to Lovense successful 2023, but nan institution appears to person closed nan bug without really fixing it.

In a connection to Bleeping Computer, Lovense says it has submitted an app update “addressing nan latest vulnerabilities” to app stores. “The afloat update is expected to beryllium pushed to each users wrong nan adjacent week,” Lovense says. “Once each users person updated to nan caller type and we disable older versions, this rumor will beryllium wholly resolved.” Lovense didn’t instantly respond to The Verge’s petition for comment.