News

This Sex Toy App Has a Security Flaw That Can Leak Your Email Address

News Room

Those who own internet-connected sex toys likely want their private information to remain secure, but one popular brand has a significant security flaw in its app.

Lovense is an internet-connected sex toy brand that allows users to interact with various gadgets from afar through its app. It’s thought to have at least 20 million users, who are now vulnerable to two flaws in the app uncovered by a security researcher known as BobDaHacker.

The researcher says he notified Lovense about the bugs, but the company told him it would take 14 months to fix one of the issues, leaving people’s private information exposed for over a year.

“A faster, one-month fix…would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,” Lovense told BobDaHacker. “We’ve decided against this approach in favor of a more stable and user-friendly solution.”

BobDaHacker found that users’ email addresses were visible to anyone who knew their usernames and ran them through a specific method of extracting the data. After his report was posted online, another person claimed to have told Lovense about the vulnerability in September 2023.

According to the person, identified as KrisTech304 on X, Lovense paid them a $350 bug bounty and said the flaw had been fixed. However, KrisTech304 was soon able to replicate it.

BobDaHacker and News worked together to see how long it would take the security researcher to find an email address on Lovense through the method discovered by KrisTech304. News set up a new alias, which the security researcher found in under a minute.

Recommended by Our Editors

BobDaHacker also found a way for hackers to take over an entire account. Lovense has since fixed this issue, but the security researcher says it could have been done more securely.

If you use Lovense, you should be aware your email could be accessed if anyone knows your username, which is especially concerning for those who have professional accounts on the service. If you’re concerned, you may want to consider using a throwaway email in the future.

We asked the company for comment and will update here when we hear more.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates


Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About James Peckham

Reporter

I’ve written tech news for over a decade, and as a Reporter at PCMag, I cover the latest developments across the gadgets and services you use every day. Previously, I worked for Android Police, TechRadar, and more.

Read James’s full bio

Read the latest from James Peckham

Share This Article
Previous Article Meta’s AI Recruiting Campaign Finds a New Target
Next Article YouTube will identify and restrict minors’ accounts with AI
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version