One security researcher reports that Sex Toy Maker Lovensse has failed to fully correct two security defects that expose the private email address of its users and allows the account of any user to be redeemed.
The researcher, who goes next to the bobdahacker handle, Published details on errors on Monday After Lovensse claimed that it would take 14 months to correct the defects so that the users of some of his inheritance would not be suspended.
Lovensse is one of the largest manufacturers of sex games toy games and is said to have More than 20 million users. The company made headlines in 2023 to become one of the first sex toy manufacturers to integrate chatgpt into its products.
However, inherent security risks in connecting sex toys to the internet can put users at risk of real world damage if something goes wrong, including device locking and data privacy leaks.
Bobdahacker said they discovered that Lovensse is leaking other people’s email addresses when using the app. Although other users’ email addresses were not visible to application users, anyone using a network analysis tool to inspect the data flowing in and out of the application would see the other user’s e -mail address when interacting with them, such as mute.
By modifying the network application by a recorded account, Bobdahacker said he could correlate any Lovense username with their registered email address, possibly by exposing any customer who has registered with lovens with a recognizable email address.
“This was particularly bad for CAM models sharing their users’ names publicly, but obviously they don’t want their personal emails exposed,” Bobdahacker writes in his blog.
TechCrunch has verified this error by creating a new Lovensse account and asking Bobdahacker to reveal our registered email address, which they did in about a minute. By automating the process with a computer scenario, the researcher said he could receive a user’s email address in less than one second.
Bobdahacker said a second vulnerability allowed them to take over any Lovensse user account using only their email address, which could arise from the previous error. This error allows anyone to create authentication brands for access to a Lovenesse account without the need for a password, allowing an invader to remotely control the account as if it were the real user.
“CAM models use these tools for work. So it was a huge deal.
Errors affect anyone with an account or Lovense device.
Bobdahacker revealed errors in lovens on March 26 through Internet dongsA project aimed at improving the security and privacy of sex toys and helps Report and reveal defects to device manufacturers.
According to Bobdahacker, they were awarded a total of $ 3,000 through the Hackerone site of the Bounty site. But after several weeks front and rear, questioning whether the errors were really stable, the researcher was public this week, after Lovensse asked for 14 months to correct the defects. (Security researchers usually give suppliers three months or less to fix a security error before they are publicly proceeded with their findings.)
The researcher informed the company before the revelation, according to an email observed by TechCrunch. Bobdahacker stated in a blog post update on Tuesday that the error may have been recognized by another researcher as early as September 2023, but the error is reportedly closed without a solution.
Lovensse did not respond to an email from TechCrunch.
