Sex toy maker Lovense caught leaking users’ email addresses and exposing accounts to takeovers

A security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email addresses of its users and allow the takeover of any user’s account.

The researcher, who goes by the handle BobDaHacker, published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy products.

Lovense is one of the largest makers of internet-connected sex toys and is said to have more than 20 million users. The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products.

But the inherent security risks in connecting sex toys to the internet can put users at risk of real-world harm if something goes wrong, including device lock-ins and data privacy leaks.

BobDaHacker said they discovered that Lovense was leaking people’s email addresses while using the app. Although other users’ email addresses were not visible to users in the app, anyone using a network analysis tool to inspect the data flowing in and out of the app would see the other user’s email address when interacting with them, such as muting them.

By modifying the network request from a logged-in account, BobDaHacker said they could associate any Lovense username with their registered email address, potentially exposing any customer who has signed up to Lovense with an identifiable email address.

“This was especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker wrote in their blog post.

TechCrunch verified this bug by creating a new account on Lovense and asking BobDaHacker to reveal our registered email address, which they did in about a minute. By automating the process with a computer script, the researcher said they could obtain a user’s email address in less than a second.

BobDaHacker said a second vulnerability allowed them to take over any Lovense user’s account using just their email address, which could be derived from the earlier bug. This bug lets anyone create authentication tokens for accessing a Lovense account without needing a password, allowing an attacker to remotely control the account as if they were the real user.

“Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,” said BobDaHacker.

The bugs affect anyone with a Lovense account or device.

BobDaHacker disclosed the bugs to Lovense on March 26 via the Internet of Dongs, a project that aims to improve the security and privacy of sex toys and helps report and disclose flaws to device makers.