|
|
|
|
August 21, 2025
|
Hackers Infiltrate Alleged North Korean Operative’s Computer, Leak Evidence of...
|
|
August 21, 2025
|
Ecosia Proposes Unusual Stewardship Model for Google Chrome
|
|
August 21, 2025
|
OpenAI Presses Meta for Evidence on Musk’s $97 Billion Takeover Bid
|
|
August 15, 2025
|
ChatGPT Mobile App Surpasses $2 Billion in Consumer Spending, Dominating Rivals
|
|
|
Lovense Faces Backlash Over Unpatched Security Flaws Exposing User Emails and Enabling Account Takeovers
July 29, 2025
Internet-connected sex toy maker Lovense is under scrutiny after a security researcher revealed that the company has yet to fully fix two serious vulnerabilities — one that exposes users' private email addresses, and another that enables full account takeovers with no password required.
The researcher, who goes by BobDaHacker, disclosed the details on Monday, citing Lovense’s refusal to implement a faster fix. According to the researcher, Lovense claimed it would need 14 months to resolve the issues in order to avoid disrupting customers using older products — a decision that has sparked criticism in the cybersecurity community.
Lovense, with over 20 million users globally, made waves in 2023 as one of the first companies to integrate AI, including ChatGPT, into sex tech. However, its increasing digitization brings heightened security risks, especially when vulnerabilities could impact users' safety, privacy, and even livelihoods.
One of the flaws allowed attackers to see the email address linked to any Lovense username — a major privacy breach, particularly for cam models and content creators who publicly share usernames but expect email privacy. Although these email addresses were not visible through the app's interface, anyone using simple network monitoring tools could extract the information during user interactions like muting.
Tech journalists verified the bug by creating a dummy account and confirming that BobDaHacker could identify its email address in under a minute. The researcher said this process could be automated to retrieve addresses in less than a second.
A second vulnerability, even more severe, allowed an attacker to take over any user’s Lovense account by generating authentication tokens using just the user’s email address — with no need for passwords or user interaction. The attacker could then fully control the account and any connected devices.
“This was a huge deal,” wrote the researcher in a blog post. “Literally anyone could take over any account just by knowing the email address.”
The flaws affect anyone with a Lovense account or connected device. BobDaHacker initially disclosed the bugs in March 2024 through the Internet of Dongs project, which advocates for safer and more private sex tech. The researcher received a $3,000 bug bounty through HackerOne, but said Lovense resisted acknowledging or fixing the problems fully.
After several months of communication, Lovense informed the researcher it had opted against a “faster, one-month fix” because it would require legacy users to upgrade their apps. Instead, the company planned a much longer timeline of over a year, prompting the researcher to go public.
An update to the blog post also notes that the email disclosure bug may have been discovered by another researcher as early as September 2023, but it was allegedly dismissed without remediation.
Following publication of the report, a Lovense spokesperson claimed the account takeover flaw has been addressed, and that the email leak bug would be fixed in an upcoming update “within the next week.” However, the company did not commit to informing users directly about the security breaches.
As sex tech continues to grow in popularity and sophistication, this case underscores the critical importance of security and transparency. For users entrusting intimate data and device control to app-connected tools, any lapse in protection can have serious real-world consequences.
|
|
|
Sign Up to
Our Newsletter!
Get the latest news in tech.
|
|
|
