Lovense Flaws Expose Emails and Enable Full Account Takeovers

Lovense, one of the world’s largest makers of internet-connected sex toys, is facing renewed scrutiny after a security researcher disclosed two flaws that expose customers’ personal data and give attackers full control of user accounts. The researcher, who publishes under the name BobDaHacker, said the app leaks registered email addresses during routine interactions and lets anyone generate authentication tokens that bypass passwords. TechCrunch verified the findings by creating a dummy account and obtaining its email address within seconds. By chaining the flaws, an attacker could remotely operate any linked device or view a user’s purchase history, posing particular risks to sex-work professionals who rely on Lovense’s platform. According to the researcher, Lovense acknowledged the issues in March and awarded a total of $3,000 through bug-bounty site HackerOne but asked for 14 months to deploy a comprehensive fix so as not to disrupt legacy products. After weeks of dispute over whether the problems were truly resolved, the researcher went public this week, saying the vulnerabilities remain exploitable. Lovense, which claims more than 20 million users, has not responded to requests for comment. The disclosure adds to growing concerns about privacy and safety as more intimate devices connect to the internet.