{"id":823,"date":"2025-07-30T02:07:51","date_gmt":"2025-07-29T22:07:51","guid":{"rendered":"https:\/\/www.actutech.app\/lovense-was-told-its-sex-toy-app-leaked-users-emails-and-didnt-fix-it\/"},"modified":"2025-07-30T02:07:51","modified_gmt":"2025-07-29T22:07:51","slug":"lovense-was-told-its-sex-toy-app-leaked-users-emails-and-didnt-fix-it","status":"publish","type":"post","link":"http:\/\/www.actutech.app\/en\/lovense-was-told-its-sex-toy-app-leaked-users-emails-and-didnt-fix-it\/","title":{"rendered":"Lovense was told its sex toy app leaked users\u2019 emails and didn\u2019t fix it"},"content":{"rendered":"
\n

\"\"

\n\t\t<\/figcaption><\/p><\/figure>\n

Lovense, the maker of internet-connected sex toys, left user emails exposed for months \u2014 even after it became aware of the vulnerability. In a blog post<\/a> spotted by TechCrunch<\/em><\/a> and Bleeping Computer<\/a><\/em>, security researcher BobDaHacker found that they could \u201cturn any username into their email address,\u201d which they could then use to take over someone\u2019s account.<\/p>\n

Though BobDaHacker initially disclosed this vulnerability to Lovense in March, the researcher claims Lovense waited months before fixing it, and still hasn\u2019t fully addressed the issue. Lovense is behind a range of sex toys that users can connect to the internet and remotely control via its app, which came under fire for a \u201cminor bug\u201d in 2017 that recorded users\u2019 sex sessions<\/a>.<\/p>\n

As outlined in BobDaHacker\u2019s post, the security researcher noticed something strange in the app\u2019s API response when muting someone: it presented their email address. BobDaHacker then figured out that they could take advantage of this vulnerability by sending a modified request to Lovense\u2019s servers, tricking it into returning the target user\u2019s email address.\u00a0<\/p>\n

BobDaHacker even developed a script that they say can convert someone\u2019s username into an email address in less than a second. \u201cThis is especially bad for cam models who share their usernames publicly but obviously don\u2019t want their personal emails exposed,\u201d BobDaHacker writes. To make matters worse, BobDaHacker later discovered that they could take over a user\u2019s account with their email address and an authentication token generated by Lovense.\u00a0<\/p>\n

BobDaHacker initially reported these vulnerabilities in partnership with the Internet of Dongs, a group that aims to make internet-connected sex toys more secure. However, the security researcher says Lovense didn\u2019t immediately fix the issue. Instead, Lovense claimed that the account takeover bug was fixed in April, even though BobDaHacker said it wasn\u2019t, and that a fix for the email leak issue would take 14 months to roll out.<\/p>\n

\u201cWe also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,\u201d Lovense said, according to BobDaHacker. As noted by BobDaHacker, security researchers reported the same account takeover bug to Lovense in 2023, but the company appears to have closed the bug without actually fixing it.<\/p>\n

In a statement to Bleeping Computer<\/em>, Lovense says it has submitted an app update \u201caddressing the latest vulnerabilities\u201d to app stores. \u201cThe full update is expected to be pushed to all users within the next week,\u201d Lovense says. \u201cOnce all users have updated to the new version and we disable older versions, this issue will be completely resolved.\u201d Lovense didn\u2019t immediately respond to The Verge<\/em>\u2019s request for comment.\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Lovense, the maker of internet-connected sex toys, left user emails exposed for months \u2014 even after it became aware of […]<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-823","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/posts\/823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/comments?post=823"}],"version-history":[{"count":0,"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/posts\/823\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/media?parent=823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/categories?post=823"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.actutech.app\/en\/wp-json\/wp\/v2\/tags?post=823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}