Lovense, a major manufacturer of sex toys, is in hot water after being discovered to have shipped products with the vulnerabilities that leaked users’ email addresses. The company has repeatedly estimated that it will take 14 months to completely address these problems. They provided a short term one month fix that’s vulnerable to continued abuse, relying on users to update their apps. The uncertainty worsened when Lovense’s CEO, Dan Liu, threatened to sue. This was announced just days after a prominent security researcher disclosed two critical vulnerabilities.
If you’re just joining us, earlier this week our own BobDaHacker disclosed two critical security flaws to Lovense. The weaknesses in question were first mentioned by him earlier this year. One of these flaws unexpectedly led to the leak of numerous private user email addresses. Lovense recommended that users update their apps to restore usage of all the app’s functionality. In their failed response, they focused on not being on the hook for having developed the vulnerabilities.
Liu claimed that reports regarding the severity of the bugs were erroneous, asserting that there is “no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.” Photo by David Odyssey on Unsplash TechCrunch and other media outlets worked together to confirm the email disclosure problem. They opened up new accounts and enlisted them to figure out what email addresses those were tied to, with BobDaHacker cracking the code.
The potential impact of these security vulnerabilities has alarmed Lovense’s customer base. Liu has publicly stated that the company is “investigating the possibility of legal action” against BobDaHacker for his disclosures. This extraordinarily serious threat has only added to the intense controversy around the company’s public and private postures toward these vulnerabilities.
As part of their attempts to reassure customers, Lovense has announced its plan to resolve the issues. Liu noted that while the complete resolution may take 14 months, the expedited update process is designed to protect user data more swiftly. Even with this commitment, criticism has not subsided in how Lovense has handled the situation since the security vulnerabilities were disclosed.
Lovense is going through a rough time now. It’s hard to know how a possible lawsuit might damage its gained goodwill or the trust users have in their brand. All of this is to say that the continued investigation into vulnerabilities is bringing the tech community’s focus back on security. Instead, many are calling on companies like Lovense to embrace transparency and accountability.