Lovense, a maker of internet-connected intercourse toys, has confirmed it has fastened a pair of safety vulnerabilities that uncovered customers’ personal electronic mail addresses and allowed attackers to remotely take over any person’s account.
Whereas the corporate stated the bugs have been “absolutely resolved,” its chief government is now contemplating taking authorized motion following the disclosure.
In an announcement shared with TechCrunch, Lovense CEO Dan Liu stated the intercourse toy maker was “investigating the potential for authorized motion” in response to allegedly misguided experiences concerning the bug. When requested by TechCrunch, the corporate didn’t reply to make clear whether or not it was referring to media experiences or to a safety researcher’s disclosure.
Particulars of the bug emerged this week after a safety researcher, who goes by the deal with BobDaHacker, disclosed that they reported the 2 safety bugs to the intercourse toy maker earlier this 12 months. The researcher printed their findings after Lovense claimed it might take 14 months to completely tackle the vulnerabilities relatively than making use of a “quicker, one-month repair” that will have required alerting customers to replace their apps.
Lovense stated in its assertion, attributed to Liu, that the fixes put in place would require customers to replace their apps earlier than they will resume utilizing the entire app’s options.
Within the assertion, Liu claimed that there’s “no proof suggesting that any person information, together with electronic mail addresses or account info, has been compromised or misused.” It’s not clear how Lovense got here to this conclusion, given TechCrunch (and different retailers) verified the e-mail disclosure bug by establishing a brand new account and asking the researcher to establish the related electronic mail tackle.
TechCrunch requested Lovense what technical means, resembling logs, the corporate has to find out if there was any compromise of customers’ information, however a spokesperson didn’t reply.
It’s not exceptional for organizations to resort to authorized calls for and threats to attempt to block the disclosure of embarrassing safety incidents, regardless of few guidelines or restrictions within the U.S. prohibiting such reporting.
Earlier this 12 months, a U.S. impartial journalist rebuffed a authorized risk from a U.Ok. courtroom injunction for precisely reporting a ransomware assault on U.Ok. personal healthcare large HCRG. In 2023, a county official in Hillsborough County, Florida, threatened felony expenses in opposition to a safety researcher beneath the state’s laptop hacking legal guidelines for figuring out and privately disclosing a safety flaw within the county’s courtroom data system that uncovered entry to delicate filings.
