Connect with us

Security

Sex toy maker Lovense security flaw puts user data at risk

Once someone knows your email, they can take over your Lovense account. They don’t need your password.
Autoblow ai ultra hero on table outdoors
Image: KnowTechie

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

A security researcher known as BobDaHacker has revealed serious privacy and security issues with Lovense, a company that makes internet-connected sex toys and has over 20 million users. 

These issues, if exploited, could expose users’ private email addresses and even allow hackers to fully take over their accounts.

The researcher found that while using the Lovense app, email addresses of other users were being leaked, although not directly shown in the app. 

Anyone with a basic tech tool that monitors app traffic could spot a user’s email when interacting with them, like muting them. 

This is particularly risky for people like cam models, who publicly share their usernames but expect their private emails to stay hidden.

Tech site TechCrunch tested this themselves. They created a Lovense account and asked BobDaHacker to reveal the registered email address. 

The researcher did it in under a minute and claimed that with a simple computer script, it could be done in less than a second for any user.

Even more troubling, BobDaHacker uncovered a second flaw: once someone knows your email, they can take over your Lovense account. They don’t need your password.

They can trick the system into creating fake login credentials and remotely control your account as if they werse you.

These bugs affect anyone who owns a Lovense product or has a user account. BobDaHacker reported the issues to Lovense back in March through a group focused on sex tech safety. 

While the researcher received $3,000 in reward money, Lovense delayed fully fixing the issues, saying it would take 14 months to avoid disrupting users of older devices. 

Most security bugs are expected to be fixed within three months.

Eventually, frustrated by the delay, the researcher went public. 

After the news spread, Lovense claimed it had finally fixed the account-takeover bug and said the email leak would be patched within a week.

However, the company has not promised to directly alert users about the security flaws.

Do you think companies making intimate tech products should face stricter security requirements given the sensitive nature of user data? Or are standard cybersecurity practices sufficient regardless of the product type? Tell us below in the comments, or reach us via our Twitter or Facebook.

Follow us on Flipboard, Google News, or Apple News

Related Topics

Ronil is a Computer Engineer by education and a consumer technology writer by choice. Over the course of his professional career, his work has appeared in reputable publications like MakeUseOf, TechJunkie, GreenBot, and many more. When not working, you’ll find him at the gym breaking a new PR.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

tiktok ad

More in Security

customgpt banner ad