A Lovense safety flaw could also be letting individuals take over accounts and not using a password

Intercourse toy firm Lovense is leaking the e-mail addresses of its app customers and permitting account takeovers with out asking for a password, in line with a safety researcher. As reported by , BobDaHacker, who describes themself as an moral hacker dedicated to exposing and reporting safety vulnerabilities, printed an during which they accuse Lovense of failing to repair a severe bug it was first made conscious of in 2023.

In accordance with the hacker (and later verified by TechCrunch), Lovense permits any username to be become their e-mail tackle with the best know-how, a flaw they initially found after muting somebody on the app. With their entry to Lovense’s API, they have been capable of acquire the emails related to any public username in lower than a second when working the modified request course of by way of an automatic script. They famous that the weak nature of those accounts is “particularly dangerous for cam fashions” who use the Lovense platform for work, and will share their usernames for these functions.

The researcher additionally realized that with a consumer’s e-mail tackle (both one you already know or one obtained utilizing the aforementioned disclosure bug), they may generate auth tokens that allowed them to take over the related account and not using a password. This allegedly labored for the Lovense Chrome Extension and Lovense Join app, in addition to the corporate’s Cam101 and StreamMaster software program — and even admin accounts.

BobDaHacker mentioned they initially reported the bugs to Lovense with help from the intercourse tech hacking challenge in March 2025, and acquired $3,000 in complete for flagging them through the HackerOne safety platform. After a collection of interactions with Lovense representatives, they have been advised in early June that the account takeover bug had been mounted through the earlier month, which the researcher claims shouldn’t be true. Relating to the e-mail disclosure flaw, Lovense mentioned in a printed by BobDaHacker that it might take as much as 14 months to repair the problem, as a quicker one-month repair would “require forcing all customers to improve instantly,” which it mentioned would “disrupt assist for legacy variations.”

The researcher went on to say that they have been contacted by a Twitter consumer who claimed to have discovered the identical account takeover bug way back to 2023, and have been advised shortly after reporting it to Lovense that the bug had been resolved, which wasn’t the case. They mentioned a patch finally mounted their methodology, which used an HTTP endpoint to transform a username into an e-mail tackle, however that it wasn’t rolled out till early 2025. BobDaHacker mentioned they’d requested remark from Lovense however on the time of writing had not acquired one.

This isn’t the primary time Lovense customers have stumbled upon privacy concern bugs. In 2017, a Redditor that the Lovense app, which permits customers to manage their intercourse toys remotely, was recording audio with out their consent and saving it to their cellphone. A commenter on the Reddit , who claimed to be a Lovense consultant, referred to as the recordings a “minor software program bug” that affected the Android model of the app and mentioned on the time that it had been mounted in an replace.