Lovense adult toy app leaks private user email addresses - what we know, and how to stay safe if you're affected

All they needed was that person’s username and apparently - these things are relatively easy to come by.

Recently, security researchers under the alias BobDaHacker, Eva, Rebane, discovered that if they knew someone’s username (maybe they saw it on a forum or during a cam show), they could log into their own Lovense account (which doesn’t need to be anything special, a regular user account will suffice), and use a script to turn the username into a fake email (this step uses encryption and parts of Lovense’s system meant for internal use).

That fake email gets added as a “friend” in the chat system, but when the system updates the contact list, it accidentally reveals the real email address behind the username in the background code.

Automating exfiltration

The entire process can be automated and done in less than a second, which means threat actors could have abused it to grab thousands, if not hundreds of thousands of email addresses, quickly and efficiently.

More details about the flaw can be found in the original report.

The company has roughly 20 million customers worldwide, so the attack surface is rather large.

The bug was discovered together with another, even more dangerous flaw, which allowed for account takeover. While that one was quickly remedied by the company, this one has not yet been fixed. Apparently, the company still needs “months” of work to plug the leak:

"We've launched a long-term remediation plan that will take approximately ten months, with at least four more months required to fully implement a complete solution," Lovense told the researcher.

"We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions. We've decided against this approach in favor of a more stable and user-friendly solution."

Lovense also said that it deployed a proxy feature as a mitigation but apparently, it’s not working as intended.

For BobDaHacker, there is more to this story than “simple” security neglecting on Lovense’s part. He claims this is a “decade-long pattern” of “lies to researchers about fixing critical vulnerabilities,” “prioritizing legacy app support over user security,” “false statements to the press”, and inconsistencies in paying researchers.

He says that the same vulnerability he found was already discovered in 2023 by security researcher Krissy, who was even paid $350 for her troubles (she found two bugs at the time). But despite claiming to have fixed the flaw, that never happened.

“Eva, Rebane, and I rediscovered the same account takeover bug via a different XMPP-based email disclosure method,” BobDaHacker told us via email. “We were unaware of Krissy's work until she contacted us after publication. Despite claiming the 2023 bugs were "fixed," Lovense treated our report as new discoveries and paid us $3,000.”

We have reached out to Lovense for further comment and will update the article accordingly.

How to stay safe

The attack is particularly concerning as such records could contain more than enough of sensitive information for hackers to launch highly personalized, successful phishing campaigns, leading to identity theft, wire fraud, and even ransomware attacks.

If you're concerned you may have been caught up in the incident, don't worry - there are a number of methods to find out. HaveIBeenPwned? is probably the best resource only to check if your details have been affected, offering a run-down of every big cyber incident of the past few years.

And if you save passwords to a Google account, you can use Google's Password Checkup tool to see if any have been compromised, or sign up for one of the best password manager options we've rounded up to make sure your logins are protected.

Edit, August 1 - After reaching out to Lovense about the email leaks, as well as accusations of lies, the company told TechRadar Pro, "all identified vulnerabilities have been fully addressed," and that there is no evidence they were abused in the wild.

It also explained why it took relatively long to address them:

"Although vulnerabilities relate to email addresses, the conditions triggering those are distinct, which requires tailored solutions and thorough testing. We adopted a dual-track strategy of emergency response and long-term optimization. The originally scheduled long term 14-month system reconstruction plan was completed significantly ahead of schedule due to the team's dedicated efforts and increased resource allocation. Reducing this comprehensive project to a simple "fixable in two days" is not only misleading but also overlooks the immense work put forth by our team," the statement reads.

As for paying the researchers differently, Lovense said it was a matter of the HackerOne platform:

"Regarding the "pay researcher differently" matter, we would like to further clarify that the HackerOne platform has a clear but complex reward structure based on the severity level and corresponding bounty. The platform takes a comprehensive approach to assess vulnerabilities, considering factors such as the complexity of the attack vector, the scope and severity of the impact, the mutual understanding of the vulnerability by both parties, and the specific bounty tier schedule we have submitted to the platform at the time of the assessment. As a result, this multifaceted evaluation process leads to varying levels of compensation for researchers."

Via BleepingComputer

You might also like

• Keep your identity intact: 5 easy-to-follow tips to avoid identity theft and fraud
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers