Lovense Data Breach: Email Leak & Account Takeovers

Lovense Security Flaws Expose User Data and Enable Account Takeovers

A security vulnerability assessment has revealed that Lovense, a prominent manufacturer of internet-connected sex toys, has not completely resolved two significant security issues. These flaws potentially expose the email addresses of users and permit unauthorized access to user accounts.

Details of the Discovered Vulnerabilities

The security researcher, known as BobDaHacker, publicly disclosed the details of these vulnerabilities on Monday. This action followed Lovense’s announcement that a full resolution would require a 14-month timeframe, a delay intended to avoid disrupting users of older product versions.

Lovense boasts a substantial user base, estimated to exceed 20 million individuals, and is recognized as a leader in integrating technologies like ChatGPT into its product line.

However, the inherent risks associated with connecting intimate devices to the internet present potential dangers to users. These risks include device control issues and breaches of data privacy.

Email Address Exposure

BobDaHacker discovered that the Lovense application was inadvertently revealing users’ email addresses. While these addresses weren't directly visible within the app's interface, they became accessible through network analysis. Specifically, inspecting data traffic during interactions, such as muting another user, revealed their associated email address.

By manipulating network requests, the researcher demonstrated the ability to link any Lovense username to its corresponding registered email address. This could potentially expose the identities of any customer who registered with a publicly identifiable email.

Cam models, who often share usernames publicly but wish to protect their personal email addresses, are particularly vulnerable to this exposure.

TechCrunch independently confirmed this vulnerability by creating a test account and requesting BobDaHacker to reveal the registered email address, which was successfully obtained within a minute. Automated scripts could achieve this in under a second.

Account Takeover Vulnerability

A second, more critical vulnerability allowed for the complete takeover of Lovense user accounts using only the user’s email address. This flaw enables the creation of authentication tokens, granting access to an account without requiring a password.

Essentially, an attacker could remotely control an account as if they were the legitimate user. BobDaHacker emphasized the severity of this issue, stating that anyone knowing an email address could potentially compromise an account.

These vulnerabilities impact all individuals with a Lovense account or device.

Disclosure and Response

BobDaHacker initially reported these vulnerabilities to Lovense on March 26th, through the Internet of Dongs project, an initiative focused on enhancing the security of sex toys.

A bug bounty of $3,000 was awarded via HackerOne. However, disagreements regarding the effectiveness of the implemented fixes led BobDaHacker to publicly disclose the vulnerabilities after Lovense requested a 14-month remediation period. This timeframe exceeds the typical 3-month window granted to vendors for security patch implementation.

Lovense explained its decision to avoid a faster, one-month fix, citing the need to avoid forcing immediate app upgrades on users of older products.

Evidence suggests the email exposure bug may have been previously identified as early as September 2023, but was reportedly closed without a proper resolution.

Lovense's Recent Statement

Following publication of this report, a Lovense representative stated that the account takeover vulnerability “has now been fully addressed.” The company also indicated that a patch for the email disclosure bug is expected to be deployed to all users within the next week.

However, the representative did not commit to proactively notifying customers about these security issues.