Lovense, the maker of internet-connected intercourse toys, left consumer emails uncovered for months — even after it grew to become conscious of the vulnerability. In a weblog publish noticed by TechCrunch and Bleeping Pc, safety researcher BobDaHacker discovered that they may “flip any username into their e mail handle,” which they may then use to take over somebody’s account.
Although BobDaHacker initially disclosed this vulnerability to Lovense in March, the researcher claims Lovense waited months earlier than fixing it, and nonetheless hasn’t totally addressed the difficulty. Lovense is behind a spread of intercourse toys that customers can hook up with the web and remotely management through its app, which got here underneath fireplace for a “minor bug” in 2017 that recorded customers’ intercourse periods.
As outlined in BobDaHacker’s publish, the safety researcher observed one thing unusual within the app’s API response when muting somebody: it offered their e mail handle. BobDaHacker then discovered that they may benefit from this vulnerability by sending a modified request to Lovense’s servers, tricking it into returning the goal consumer’s e mail handle.
BobDaHacker even developed a script that they are saying can convert somebody’s username into an e mail handle in lower than a second. “That is particularly unhealthy for cam fashions who share their usernames publicly however clearly don’t need their private emails uncovered,” BobDaHacker writes. To make issues worse, BobDaHacker later found that they may take over a consumer’s account with their e mail handle and an authentication token generated by Lovense.
BobDaHacker initially reported these vulnerabilities in partnership with the Web of Dongs, a gaggle that goals to make internet-connected intercourse toys safer. Nevertheless, the safety researcher says Lovense didn’t instantly repair the difficulty. As an alternative, Lovense claimed that the account takeover bug was mounted in April, though BobDaHacker mentioned it wasn’t, and {that a} repair for the e-mail leak subject would take 14 months to roll out.
“We additionally evaluated a sooner, one-month repair. Nevertheless, it might require forcing all customers to improve instantly, which might disrupt assist for legacy variations,” Lovense mentioned, in response to BobDaHacker. As famous by BobDaHacker, safety researchers reported the identical account takeover bug to Lovense in 2023, however the firm seems to have closed the bug with out truly fixing it.
In a press release to Bleeping Pc, Lovense says it has submitted an app replace “addressing the most recent vulnerabilities” to app shops. “The complete replace is anticipated to be pushed to all customers inside the subsequent week,” Lovense says. “As soon as all customers have up to date to the brand new model and we disable older variations, this subject might be fully resolved.” Lovense didn’t instantly reply to The Verge’s request for remark.
