A Lovense security flaw may be letting people take over accounts without a password

Intercourse toy firm Lovense is leaking the e-mail addresses of its app customers and permitting account takeovers with out asking for a password, based on a safety researcher. As reported by TechCrunch, BobDaHacker, who describes themself as an moral hacker dedicated to exposing and reporting safety vulnerabilities, revealed an in depth report wherein they accuse Lovense of failing to repair a critical bug it was first made conscious of in 2023.In accordance with the hacker (and later verified by TechCrunch), Lovense permits any username to be become their e mail tackle with the suitable know-how, a flaw they initially found after muting somebody on the app. With their entry to Lovense’s API, they had been capable of receive the emails related to any public username in lower than a second when operating the modified request course of via an automatic script. They famous that the weak nature of those accounts is “particularly unhealthy for cam fashions” who use the Lovense platform for work, and should share their usernames for these functions.The researcher additionally realized that with a person’s e mail tackle (both one you already know or one obtained utilizing the aforementioned disclosure bug), they might generate auth tokens that allowed them to take over the related account with out a password. This allegedly labored for the Lovense Chrome Extension and Lovense Join app, in addition to the corporate’s Cam101 and StreamMaster software program — and even admin accounts.BobDaHacker stated they initially reported the bugs to Lovense with help from the intercourse tech hacking venture The Web Of Dongs in March 2025, and obtained $3,000 in whole for flagging them through the HackerOne safety platform. After a collection of interactions with Lovense representatives, they had been instructed in early June that the account takeover bug had been fastened throughout the earlier month, which the researcher claims will not be true. Concerning the e-mail disclosure flaw, Lovense stated in a press release printed by BobDaHacker that it might take as much as 14 months to repair the problem, as a quicker one-month repair would “require forcing all customers to improve instantly,” which it stated would “disrupt assist for legacy variations.”The researcher went on to say that they had been contacted by a Twitter person who claimed to have discovered the identical account takeover bug way back to 2023, and had been instructed shortly after reporting it to Lovense that the bug had been resolved, which wasn’t the case. They stated a patch ultimately fastened their methodology, which used an HTTP endpoint to transform a username into an e mail tackle, however that it wasn’t rolled out till early 2025. BobDaHacker stated that they had requested remark from Lovense however on the time of writing had not obtained one.This isn’t the primary time Lovense customers have stumbled upon privateness concern bugs. In 2017, a Redditor found that the Lovense app, which permits customers to manage their intercourse toys remotely, was recording audio with out their consent and saving it to their cellphone. A commenter on the Reddit publish, who claimed to be a Lovense consultant, known as the recordings a “minor software program bug” that affected the Android model of the app and stated on the time that it had been fastened in an replace.