A Lovense safety flaw could also be lett...

Intercourse toy firm Lovense is leaking the e-mail addresses of its app customers and permitting account takeovers with out asking for a password, in accordance with a safety researcher. As reported by , BobDaHacker, who describes themself as an moral hacker dedicated to exposing and reporting safety vulnerabilities, printed an during which they accuse Lovense of failing to repair a severe bug it was first made conscious of in 2023.

Based on the hacker (and later verified by TechCrunch), Lovense permits any username to be become their e-mail handle with the correct know-how, a flaw they initially found after muting somebody on the app. With their entry to Lovense’s API, they had been in a position to receive the emails related to any public username in lower than a second when working the modified request course of by means of an automatic script. They famous that the susceptible nature of those accounts is “particularly unhealthy for cam fashions” who use the Lovense platform for work, and should share their usernames for these functions.

The researcher additionally realized that with a consumer’s e-mail handle (both one you already know or one obtained utilizing the aforementioned disclosure bug), they may generate auth tokens that allowed them to take over the related account and not using a password. This allegedly labored for the Lovense Chrome Extension and Lovense Join app, in addition to the corporate’s Cam101 and StreamMaster software program — and even admin accounts.

BobDaHacker stated they initially reported the bugs to Lovense with help from the intercourse tech hacking challenge in March 2025, and obtained $3,000 in complete for flagging them by way of the HackerOne safety platform. After a sequence of interactions with Lovense representatives, they had been informed in early June that the account takeover bug had been mounted throughout the earlier month, which the researcher claims shouldn’t be true. Concerning the e-mail disclosure flaw, Lovense stated in a printed by BobDaHacker that it may take as much as 14 months to repair the difficulty, as a sooner one-month repair would “require forcing all customers to improve instantly,” which it stated would “disrupt assist for legacy variations.”

The researcher went on to say that they had been contacted by a Twitter consumer who claimed to have discovered the identical account takeover bug way back to 2023, and had been informed shortly after reporting it to Lovense that the bug had been resolved, which wasn’t the case. They stated a patch finally mounted their methodology, which used an HTTP endpoint to transform a username into an e-mail handle, however that it wasn’t rolled out till early 2025. BobDaHacker stated they’d requested remark from Lovense however on the time of writing had not obtained one.

This isn’t the primary time Lovense customers have stumbled upon privacy concern bugs. In 2017, a Redditor that the Lovense app, which permits customers to regulate their intercourse toys remotely, was recording audio with out their consent and saving it to their telephone. A commenter on the Reddit , who claimed to be a Lovense consultant, known as the recordings a “minor software program bug” that affected the Android model of the app and stated on the time that it had been mounted in an replace.