Source: Techpulse.be(In Dutch)
BELGIUM/NETHERLANDS – One of the largest manufacturers of sex toys has a serious leak and apparently the company was not planning to do anything about it anytime soon.
See larger photo on: Techpulse.be
The company in question is Lovense, one of the largest manufacturers of internet-connected sex toys. Think of vibrators that can be controlled remotely via the internet. More than 20 million people worldwide reportedly use their products. This week, a serious security vulnerability in the Lovense app was revealed, but only after the company refused to quickly patch it, which, in principle, would have been possible.
Access to all email addresses and accounts
The vulnerability was discovered by a security researcher going by the name BobDaHacker . He discovered that it was possible to obtain any user’s email address through the Lovense app. During normal use, you don’t see other users’ email addresses, but by using a network analysis tool, a wealth of additional data becomes available, including the email addresses of users you interact with in the app. That interaction could, for example, simply be blocking a profile.
So, it was very easy to find every user’s email address. BobDaHacker even developed an automation that made it easy to quickly obtain a specific user’s email address. But it didn’t stop there. A vulnerability was then discovered that allowed users to take over their accounts. All that was needed was an email address, which could already be obtained through the first leak. The exploit could be used to create authentication tokens without a password using the email address, which could then be used to access the user’s account.
Naturally, this is a serious security breach. It’s already serious when email addresses are exposed and accounts can be taken over, but in this case, the data involved is often particularly sensitive. Users often use nicknames because they don’t want to reveal their real identity, but their real identity can sometimes be revealed through their email address, which is essentially inaccessible to other users. Moreover, Lovense products are often used by webcam models, who also prefer to keep their real identity secret. Such a breach opens the door to serious abuse.
Delay at Lovense
BobDaHacker notified Lovense of the vulnerabilities on March 26th. This was done via Internet of Dongs , a project created to promote security and privacy around sex toys. However, a fix was delayed. When Lovense deliberately chose to forgo a quick fix, BobDaHacker decided to go public with it.
Typically, ethical hackers give companies three months to fix a problem before disclosing it publicly to warn the general public. Lovense also appeared to have been given that time, but ultimately decided against deploying a fix that would have only taken one month. That would have forced customers with older products to upgrade their apps immediately, which would have been too much of an inconvenience. Instead, Lovense wanted to deploy a fix that would take a total of 14 months, but for an exploit of this magnitude, that is, of course, unacceptably long.
Incidentally, there are indications that the leak had already been discovered by another researcher at the end of 2023. Lovense then closed the report and implied that the leak had been fixed, while in practice this was far from the case.
Then finally a fix
It’s unclear to what extent the exploit was actually abused, but in any case, the whole affair is detrimental to Lovense’s reputation. As is often the case, real action was only taken once everything was made public.
In a statement, a spokesperson said that the bug that allowed account takeovers has already been fixed. The email address issue would be addressed in a mandatory update sometime next week, meaning the vulnerability is still active. Lovense declined to commit to effectively informing customers about the vulnerabilities
