A Lovense safety flaw could also be letting individuals take over accounts and not using a password

Intercourse toy firm Lovense is leaking the e-mail addresses of its app customers and permitting account takeovers with out asking for a password, based on a safety researcher. As reported by , BobDaHacker, who describes themself as an moral hacker dedicated to exposing and reporting safety vulnerabilities, printed an wherein they accuse Lovense of failing to repair a severe bug it was first made conscious of in 2023.

In line with the hacker (and later verified by TechCrunch), Lovense permits any username to be became their e mail tackle with the fitting know-how, a flaw they initially found after muting somebody on the app. With their entry to Lovense’s API, they had been in a position to receive the emails related to any public username in lower than a second when working the modified request course of by an automatic script. They famous that the weak nature of those accounts is “particularly unhealthy for cam fashions” who use the Lovense platform for work, and should share their usernames for these functions.

The researcher additionally realized that with a person’s e mail tackle (both one you already know or one obtained utilizing the aforementioned disclosure bug), they may generate auth tokens that allowed them to take over the related account and not using a password. This allegedly labored for the Lovense Chrome Extension and Lovense Join app, in addition to the corporate’s Cam101 and StreamMaster software program — and even admin accounts.

BobDaHacker mentioned they initially reported the bugs to Lovense with help from the intercourse tech hacking challenge in March 2025, and acquired $3,000 in complete for flagging them by way of the HackerOne safety platform. After a collection of interactions with Lovense representatives, they had been informed in early June that the account takeover bug had been mounted through the earlier month, which the researcher claims just isn’t true. Concerning the e-mail disclosure flaw, Lovense mentioned in a printed by BobDaHacker that it may take as much as 14 months to repair the difficulty, as a sooner one-month repair would “require forcing all customers to improve instantly,” which it mentioned would “disrupt assist for legacy variations.”

The researcher went on to say that they had been contacted by a Twitter person who claimed to have discovered the identical account takeover bug way back to 2023, and had been informed shortly after reporting it to Lovense that the bug had been resolved, which wasn’t the case. They mentioned a patch finally mounted their technique, which used an HTTP endpoint to transform a username into an e mail tackle, however that it wasn’t rolled out till early 2025. BobDaHacker mentioned that they had requested remark from Lovense however on the time of writing had not acquired one.

This isn’t the primary time Lovense customers have stumbled upon privacy concern bugs. In 2017, a Redditor that the Lovense app, which permits customers to manage their intercourse toys remotely, was recording audio with out their consent and saving it to their telephone. A commenter on the Reddit , who claimed to be a Lovense consultant, referred to as the recordings a “minor software program bug” that affected the Android model of the app and mentioned on the time that it had been mounted in an replace.