A security researcher known as BobDaHacker has revealed that sex toy manufacturer Lovense has not fully addressed two security flaws. These vulnerabilities expose users’ private email addresses and allow unauthorized account takeovers.
BobDaHacker published details of the bugs after Lovense stated it would need 14 months to fix them, citing concerns about inconveniencing users of legacy products. Lovense is one of the largest makers of internet-connected sex toys, with over 20 million users. The company gained attention in 2023 for integrating ChatGPT into its products, but connecting such devices to the internet carries inherent security risks. These risks include device lock-ins and data privacy leaks, which could lead to real-world harm for users.
According to BobDaHacker, Lovense was leaking users’ email addresses through its app. While the emails were not visible within the app itself, anyone using network analysis tools could see them during interactions such as muting another user. By modifying network requests, the researcher could link any Lovense username to its registered email address, potentially exposing customers who used identifiable emails. This issue was particularly concerning for cam models, who often share their usernames publicly but wish to keep personal emails private.
TechCrunch verified the bug by creating a test account and having BobDaHacker retrieve the registered email address in under a minute. The researcher noted that automating the process could reduce the time to less than a second.
A second vulnerability allowed account takeovers using only an email address, which could be obtained through the first flaw. This bug enabled attackers to generate authentication tokens without a password, granting full control over a victim’s account. BobDaHacker emphasized the severity of this flaw, stating that anyone could hijack an account with just an email address.
The bugs were reported to Lovense on March 26 through the Internet of Dongs, a project focused on improving sex toy security. BobDaHacker received a $3,000 bounty via HackerOne but later disclosed the flaws publicly after disputes over whether they were truly fixed. Lovense requested 14 months to address the issues, far longer than the typical three-month window security researchers allow before public disclosure. The company declined a faster one-month fix, which would have required users of older products to update their apps immediately.
BobDaHacker noted that the bug may have been identified by another researcher as early as September 2023 but was reportedly closed without resolution. Lovense did not respond to TechCrunch’s request for comment.