Lovense, a maker of internet-connected intercourse toys, has confirmed it has fixed a pair of security vulnerabilities that uncovered customers’ non-public e-mail addresses and allowed attackers to remotely take over any consumer’s account.
Whereas the corporate stated the bugs have been “absolutely resolved,” its chief government is now contemplating taking authorized motion following the disclosure.
In a statement shared with TechCrunch, Lovense CEO Dan Liu stated the intercourse toy maker was “investigating the potential for authorized motion” in response to allegedly faulty reviews in regards to the bug. When requested by TechCrunch, the corporate didn’t reply to make clear whether or not it was referring to media reviews or a safety researcher’s disclosure.
Particulars of the bug emerged this week after a safety researcher, who goes by the deal with BobDaHacker, disclosed that they reported the two security bugs to the intercourse toy maker earlier this 12 months. The researcher revealed their findings after Lovense claimed it could take 14 months to completely handle the vulnerabilities somewhat than making use of a “quicker, one-month repair” that might have required alerting customers to replace their apps.
Lovense stated in its assertion, attributed to Liu, that the fixes put in place would require customers to replace their apps earlier than they’ll resume utilizing the entire app’s options.
Within the assertion, Liu claimed that there’s “no proof suggesting that any consumer knowledge, together with e-mail addresses or account data, has been compromised or misused.” It’s not clear how Lovense got here to this conclusion, given TechCrunch (and other outlets) verified the e-mail disclosure bug by organising a brand new account and asking the researcher to establish the related e-mail handle.
TechCrunch requested Lovense what technical means, similar to logs, the corporate has to find out if there was any compromise of customers’ knowledge, however a spokesperson didn’t reply.
It’s not remarkable for organizations to resort to authorized calls for and threats to attempt to block the disclosure of embarrassing safety incidents, regardless of few guidelines or restrictions within the U.S. prohibiting such reporting.
Earlier this 12 months, a U.S. unbiased journalist rebuffed a legal threat from a U.Ok. courtroom injunction for precisely reporting a ransomware assault on U.Ok. non-public healthcare big HCRG. In 2023, a county official in Hillsborough County, Florida, threatened criminal charges against a security researcher below the state’s pc hacking legal guidelines for figuring out and privately disclosing a safety flaw within the county’s courtroom information system that uncovered entry to delicate filings.