Skip to main content

Lovense was told its sex toy app leaked users’ emails and didn’t fix it

A security researcher found that they could generate someone’s email address with their username — and then take over their account.

A security researcher found that they could generate someone’s email address with their username — and then take over their account.

lovesense-mission-2
lovesense-mission-2
Image: Lovense
Emma Roth
is a news writer who covers the streaming wars, consumer tech, crypto, social media, and much more. Previously, she was a writer and editor at MUO.

Lovense, the maker of internet-connected sex toys, left user emails exposed for months — even after it became aware of the vulnerability. In a blog post spotted by TechCrunch and Bleeping Computer, security researcher BobDaHacker found that they could “turn any username into their email address,” which they could then use to take over someone’s account.

BobDaHacker initially disclosed this vulnerability to Lovense in March, but the researcher claims Lovense waited months before fixing it. Lovense is behind a range of sex toys that users can connect to the internet and remotely control via its app, which came under fire for a “minor bug” in 2017 that recorded users’ sex sessions.

As outlined in BobDaHacker’s post, the security researcher noticed something strange in the app’s API response when muting someone: it presented their email address. BobDaHacker then figured out that they could take advantage of this vulnerability by sending a modified request to Lovense’s servers, tricking it into returning the target user’s email address.

BobDaHacker even developed a script that they say can convert someone’s username into an email address in less than a second. “This is especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker writes. To make matters worse, BobDaHacker later discovered that they could take over a user’s account with their email address and an authentication token generated by Lovense.

Though BobDaHacker says Lovense has since fixed the email-leaking bug, and now blocks users from trying to hijack someone’s account with an authentication token, it took the company months — and a lot of public pressure — to issue the fix.

BobDaHacker initially reported these vulnerabilities in partnership with the Internet of Dongs, a group that aims to make internet-connected sex toys more secure. However, the security researcher says Lovense didn’t immediately fix the issue. Instead, Lovense claimed that the account takeover bug was fixed in April, even though BobDaHacker said it wasn’t, and that a fix for the email leak issue would take 14 months to roll out.

“We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,” Lovense said, according to BobDaHacker. As noted by BobDaHacker, other security researchers reported these issues in 2022 and 2023, but the company appears to have closed the bug without actually fixing it.

In a statement to The Verge, Lovense CEO Dan Liu confirms that the bugs are now fixed. “The originally scheduled long term 14-month system reconstruction plan was completed significantly ahead of schedule due to the team’s dedicated efforts and increased resource allocation,” Liu says, adding that “there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.”

Update, July 30th: Added that Lovense addressed the bugs.

Update, July 31st: Added a statement from Lovense.

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.