Informed by a researcher of the existence of two flaws exposing the email addresses of his users and allowing to take control of their accounts, Lovense waited a few months before correcting them.
According to two major safety flaws for several months, the manufacturer of Lovense connected sex toys has still not corrected them. In a blog article published at the end of July and spotted by the specialized Techcrunch site, a security researcher explains that these vulnerabilities exhibit user email addresses and worse, allow them to take control of their accounts.
More than 20 million people worldwide are affected. Known under the pseudonym of Bobdahacker, he discovered these flaws when he used the application. By mute a user, he realized that it revealed his email address.
A simple and fast process
The researcher then discovered how to expose the email addresses of all users, a simple and fast process. “The whole process took approximately 30 seconds by username manually. Thanks to the script (computer program, editor’s note) that we created to automate it, the conversion of a username to email address has taken less than a second,” said Bobdahacker.
“This is particularly problematic for camgirls who share their user names publicly, but which obviously do not want their personal email addresses to be disclosed,” he said.
The researcher then discovered that with a simple email address, it was possible to take control of the user’s account. More specifically, the second flaw allows anyone to create authentication tokens to access a Lovense account without password.
“The cam models use these tools to work, it was therefore a real asset. Anyone could take control of an account simply by knowing their email address,” deplored the researcher.
14 months to correct flaws
Bobdahacker reported the two flaws in Lovense last March. The company then assured her that she was working on their correction. At the same time, the researcher also revealed the existence of these vulnerabilities to the Hackerone site, which offers bonuses for the discovery of bugs. He received a bonus of $ 3,000.
But the most important thing for him was whether Lovense had corrected the two flaws, which was not the case. After several weeks of discussion, he returned the public affair this week, revealing that the manufacturer had informed him that he would need 14 months to correct the vulnerabilities.
“Following your report, we have conducted an in -depth survey and implemented initial corrective measures. (…) However, the resolution of the deep cause requires more in -depth architectural work. We have launched a long -term correction plan which will take about 10 months, and at least 4 additional months will be necessary to implement a complete solution,” replied Lovense.
In its message, the company also explained that it had a faster solution, of a month, to correct the faults, but that it would force users to update the application while disturbing the management of the old versions of the application. Reason why she has given up.
Failed soon corrected?
Still in his blog article, Bobdahacker has revealed that the fault allowing to take control of the accounts had already been identified by a researcher almost two years ago. Known under the pseudonym Krissy, she assured him to have discovered this vulnerability in September 2023 with another researcher.
She had also pointed out the flaw in Lovense, who claimed to have corrected her. To date, the manufacturer claims to have solved the two problems. With Techcrunch, he said that the takeover bug was now fully resolved and that the other flaw would be corrected in an update that should be deployed to all users next week.
