Security researchers say sex toy maker Lovense has failed to completely fix two security flaws that publish the user's private email address and allow the user to acquire the user's account.
Researchers going with the Bobda Hacker on the Handle released details of the bug on Monday after claiming that Lovense would take 14 months to fix the defect so as not to use inconvenient users of its legacy products.
Lovense is one of the largest manufacturers of internet-connected adult toys, and is said to have over 20 million users. The company made headlines in 2023 to become one of the first sex toy manufacturers to integrate ChatGpt into its products.
However, the inherent security risks when connecting sex toys to the internet can put users at risk of real harm if something goes wrong, such as device lock-in or data privacy leaks.
Bobdahacker said he discovered that Lovense was leaking someone else's email address while using the app. Although other users' email addresses were not visible to users of the app, anyone who uses network analysis tools to inspect the data flowing into the app will see other users' email addresses when they interact with them.
By modifying a network request from a logged in account, Bobdahacker says that he can associate his Lovense username with a registered email address, potentially revealing customers who have signed up for Lovense with an identifiable email address.
“This was particularly bad for CAM models who publish their usernames but obviously don't want to publish personal emails,” Bobdahacker wrote in a blog post.
TechCrunch confirmed this bug by creating a new account about Lovense and asking Bobdahacker to reveal the email address they registered. By automating the process with computer scripts, researchers said they can get the user's email address within a second.
Bobdahacker said the second vulnerability allows the Lovense user's account to be taken over using only email addresses that could derive from previous bugs. This bug allows anyone to create an authentication token to access their Lovense account without the need for a password, allowing the attacker to remotely control the account as if he were a real user.
“This was a big deal because the CAM model uses these tools for work. Literally, anyone can take over your account just by knowing their email address,” Bobdahacker said.
Bugs affect people with Lavense accounts or devices.
Bobdahacker revealed the bug to Lovense on March 26th through a project aimed at improving the security and privacy of Sex Toys and helps report and disclose flaws to device manufacturers.
According to Bobdahacker they were awarded a total of $3,000 via the Bug Bounty site Hackerone. However, after several weeks of objectioning whether the bug was actually fixed, researchers were published this week after Lovense requested 14 months to fix the defect. (Security researchers usually grant vendors within three months, and within three months to fix security bugs before publishing their findings.) The company told Bobdahacker in the same email that it opposed “fastest month fixes.”
The researchers notified the company prior to disclosure according to emails seen by TechCrunch. Bobdahacker said in an update to his blog post on Tuesday that the bug may have been identified by another researcher until September 2023, but the bug is said to have been closed without any fixes.
Lovense did not respond to emails from TechCrunch.