Intercourse toy firm Lovense is leaking the e-mail addresses of its app customers and permitting account takeovers with out asking for a password, in keeping with a safety researcher. As reported by TechCrunch, BobDaHacker, who describes themself as an moral hacker dedicated to exposing and reporting safety vulnerabilities, revealed an in depth report wherein they accuse Lovense of failing to repair a severe bug it was first made conscious of in 2023.
In keeping with the hacker (and later verified by TechCrunch), Lovense permits any username to be became their e mail tackle with the appropriate know-how, a flaw they initially found after muting somebody on the app. With their entry to Lovense’s API, they had been capable of acquire the emails related to any public username in lower than a second when operating the modified request course of via an automatic script. They famous that the susceptible nature of those accounts is "particularly unhealthy for cam fashions" who use the Lovense platform for work, and should share their usernames for these functions.
The researcher additionally realized that with a person’s e mail tackle (both one you already know or one obtained utilizing the aforementioned disclosure bug), they might generate auth tokens that allowed them to take over the related account with out a password. This allegedly labored for the Lovense Chrome Extension and Lovense Join app, in addition to the corporate’s Cam101 and StreamMaster software program — and even admin accounts.
BobDaHacker mentioned they initially reported the bugs to Lovense with help from the intercourse tech hacking venture The Web Of Dongs in March 2025, and obtained $3,000 in complete for flagging them by way of the HackerOne safety platform. After a collection of interactions with Lovense representatives, they had been informed in early June that the account takeover bug had been mounted through the earlier month, which the researcher claims isn’t true. Concerning the e-mail disclosure flaw, Lovense mentioned in a press release printed by BobDaHacker that it may take as much as 14 months to repair the problem, as a sooner one-month repair would "require forcing all customers to improve instantly," which it mentioned would "disrupt help for legacy variations."
The researcher went on to say that they had been contacted by a Twitter person who claimed to have discovered the identical account takeover bug way back to 2023, and had been informed shortly after reporting it to Lovense that the bug had been resolved, which wasn’t the case. They mentioned a patch ultimately mounted their technique, which used an HTTP endpoint to transform a username into an e mail tackle, however that it wasn’t rolled out till early 2025. BobDaHacker mentioned they’d requested remark from Lovense however on the time of writing had not obtained one.
This isn’t the primary time Lovense customers have stumbled upon privateness concern bugs. In 2017, a Redditor found that the Lovense app, which permits customers to regulate their intercourse toys remotely, was recording audio with out their consent and saving it to their cellphone. A commenter on the Reddit publish, who claimed to be a Lovense consultant, known as the recordings a "minor software program bug" that affected the Android model of the app and mentioned on the time that it had been mounted in an replace.
This text initially appeared on Engadget at https://www.engadget.com/cybersecurity/a-lovense-security-flaw-may-be-letting-people-take-over-accounts-without-a-password-160528730.html?src=rss