Lovense, the manufacturer of internet-connected sex toys, has come under scrutiny for failing to address a significant security vulnerability that exposed user email addresses for several months. Despite being informed about the issue by security researcher BobDaHacker in March 2023, the company reportedly delayed implementing a fix, leading to ongoing concerns about user privacy.
According to reports from TechCrunch and Bleeping Computer, BobDaHacker discovered that the app’s application programming interface (API) allowed anyone to convert a username into an email address. This vulnerability posed a serious risk, as it could enable an individual to take control of another user’s account. BobDaHacker noted that this flaw was particularly harmful for cam models who often share their usernames publicly but do not wish for their personal email addresses to be revealed.
In a blog post detailing the findings, BobDaHacker highlighted how the vulnerability could be exploited by sending a modified request to Lovense’s servers. This manipulation prompted the system to reveal the associated email address of the target user. The researcher even created a script capable of converting usernames into email addresses in under a second.
The timeline of Lovense’s response has raised eyebrows. BobDaHacker reported the vulnerabilities in partnership with the Internet of Dongs, a group dedicated to enhancing the security of internet-connected sex toys. Lovense initially claimed to have resolved the account takeover issue in April 2023, but BobDaHacker refuted this assertion, stating that the problem remained unaddressed.
In an effort to explain the delays, Lovense mentioned that while a rapid fix was considered, it would require all users to upgrade immediately, disrupting support for legacy versions of the app. The company estimated that a comprehensive solution to the email leak issue would take approximately 14 months to implement.
BobDaHacker pointed out that similar vulnerabilities had been reported to Lovense by security researchers earlier in 2023. However, it appears that these reports were closed without proper resolution, further highlighting the ongoing concerns surrounding the company’s commitment to user security.
In a statement to Bleeping Computer, Lovense asserted that an app update has been submitted to app stores, addressing the latest vulnerabilities. The company stated, “The full update is expected to be pushed to all users within the next week. Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.”
As of now, Lovense has not provided a response to inquiries from The Verge regarding the ongoing situation. The delay in addressing such a critical security vulnerability raises important questions about user safety in the rapidly evolving market of connected devices.
