SHOPPERS have had their cheeky purchases leaked, and possibly their accounts hacked, following the breach of a popular sex toy app.
Lovense, which makes internet-connected sex toys, reportedly left user emails exposed for months without fixing the cybersecurity flaw.
2
2
In a blog post, security researcher BobDaHacker writes that they discovered a flaw that allowed anyone to “turn any username into their email address,” which could then be used to take over someone’s account.
All it took to expose someone’s email address, according to the researcher, was to mute someone’s account.
BobDaHacker told Lovense about the vulnerability in March.
However, they claim the company waited months before fixing it, and still hasn’t fully addressed the issue.
The Lovense platform is connected to the company’s sex toy products, which can be controlled from afar via the app.
The app is also used to “find like-minded thrill seekers”, according to the company, and came under fire in 2017 for a “minor bug” that recorded users’ sex sessions.
BobDaHacker says they have developed a script that can convert someone’s username into an email address in less than a second.
“This is especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker writes in their post.
A user’s email address, combined with an authentication token generated by Lovense and captured by a hacker, is enough to take over a user’s account.
The account takeover bug was fixed in April, according to Lovense.
Although BobDaHacker disputes this, and says that a fix for the email leak issue would take 14 months to roll out.
“We also evaluated a faster, one-month fix,” Lovense said, according to BobDaHacker.
“However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions.”
Other security researchers reported the same account takeover bug to Lovense in 2023, according to BobDaHacker.
But The Verge noted that the company appears to have closed the bug without actually fixing it.
In a statement to Bleeping Computer, Lovense says it has submitted an app update “addressing the latest vulnerabilities” to app stores.
“The full update is expected to be pushed to all users within the next week,” Lovense says.
“Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.”
The Sun has contacted Lovense for comment.
