Lovense, one of the world’s leading creators of internet-connected sex toys, is now under fire. Recent disclosures have exposed serious security vulnerabilities that threaten the lives of its users. The company claims more than 20 million users across the globe. In 2023, it returned to the news as one of the first in its space to incorporate ChatGPT across its product lines. The new move represents an alarming attack on user privacy and the security of their accounts.
On Monday, security researcher BobDaHacker disclosed severe vulnerabilities. These vulnerabilities allow bad actors to swiftly take over user accounts and expose sensitive information. Lovense had first triaged these bugs March 26. Those reports were transmitted via the Internet of Dongs, an initiative created to improve the security and privacy of sex toys. The disclosure has recently caused an uproar, especially from the community that uses these devices—either for personal use or in their profession.
The original vulnerability allows any attacker to hijack a Lovense user’s account by knowing their email address. BobDaHacker highlighted the severity of the issue, stating, “Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address.”
Even more troubling is the fact that Lovense has publicly admitted it needs a full 14-month timeline to fix these security vulnerabilities. This decision was made to avoid inconveniencing users with older devices who would be forced to upgrade their apps immediately. As such, the company chose not to pursue a quicker one-month repair that would have mitigated immediate dangers.
According to thousands of public records automated scripts are capable of pulling user emails out of Lovense’s systems in under a second. This shocking pace of the data breach underlines the seriousness of the leak. The second vulnerability allows attackers to forge authentication tokens, which gives them access to user accounts without requiring passwords. In other words, an attacker could take over control of an account from anywhere, with the same capabilities of the legitimate account owner.
Lovense’s refusal to act has received immense public condemnation from the cybersecurity community. BobDaHacker was awarded a $3,000 reward via the bug bounty platform HackerOne for his find. This world-changing achievement emphasizes the incredible value of carefully and responsibly disclosing vulnerabilities. Despite repeated follow-up efforts, TechCrunch has been unable to reach Lovense for comment on this situation before publication.
In light of these revelations, Lovense has promised that fixes will be “pushed to all users within the next week,” though concerns linger about whether this will be sufficient to restore user trust. Users are right to be more wary, which highlights the bigger issue of cybersecurity across the tech industry. This whitewash is most dangerous in industries that work with sensitive and personal information.
