Lovense, the maker of internet-connected intercourse toys, left consumer emails uncovered for months — even after it grew to become conscious of the vulnerability. In a blog post noticed by TechCrunch and Bleeping Computer, safety researcher BobDaHacker discovered that they might “flip any username into their e-mail handle,” which they might then use to take over somebody’s account.
Although BobDaHacker initially disclosed this vulnerability to Lovense in March, the researcher claims Lovense waited months earlier than fixing it, and nonetheless hasn’t absolutely addressed the difficulty. Lovense is behind a spread of intercourse toys that customers can hook up with the web and remotely management through its app, which got here below hearth for a “minor bug” in 2017 that recorded users’ sex sessions.
As outlined in BobDaHacker’s put up, the safety researcher seen one thing unusual within the app’s API response when muting somebody: it introduced their e-mail handle. BobDaHacker then found out that they might make the most of this vulnerability by sending a modified request to Lovense’s servers, tricking it into returning the goal consumer’s e-mail handle.
BobDaHacker even developed a script that they are saying can convert somebody’s username into an e-mail handle in lower than a second. “That is particularly dangerous for cam fashions who share their usernames publicly however clearly don’t need their private emails uncovered,” BobDaHacker writes. To make issues worse, BobDaHacker later found that they might take over a consumer’s account with their e-mail handle and an authentication token generated by Lovense.
BobDaHacker initially reported these vulnerabilities in partnership with the Web of Dongs, a bunch that goals to make internet-connected intercourse toys safer. Nonetheless, the safety researcher says Lovense didn’t instantly repair the difficulty. As a substitute, Lovense claimed that the account takeover bug was fastened in April, though BobDaHacker stated it wasn’t, and {that a} repair for the e-mail leak concern would take 14 months to roll out.
“We additionally evaluated a sooner, one-month repair. Nonetheless, it might require forcing all customers to improve instantly, which might disrupt help for legacy variations,” Lovense stated, in accordance with BobDaHacker. As famous by BobDaHacker, safety researchers reported the identical account takeover bug to Lovense in 2023, however the firm seems to have closed the bug with out really fixing it.
In a press release to Bleeping Laptop, Lovense says it has submitted an app replace “addressing the academic vulnerabilities” to app shops. “The complete replace is anticipated to be pushed to all customers inside the subsequent week,” Lovense says. “As soon as all customers have up to date to the brand new model and we disable older variations, this concern will probably be fully resolved.” Lovense didn’t instantly reply to The Verge’s request for remark.