Lovense Discovered Serious Security Flaws for Users

• Lovense has serious problems with security that could lead to data leaks.
• Malicious actors can capture user records, knowing only the email address.
• The company requires up to 14 months to fix the security flaws.

Reports say TechCrunch, Engadget.

Lovense, known for manufacturing sex toys, discovered serious security flaws that allow the leakage of users' email addresses and enable the capture of user records without a password. A security researcher named BobDaHacker published a report claiming that Lovense did not fix two vulnerabilities, one of which was reported back in 2023.

The problem with leaking email addresses was discovered during the use of an add-on, when BobDaHacker found that it was possible to obtain email addresses of other users simply by interacting with them, for example, during their interactions. In the case of a modified request through the Lovense API, a malicious actor can design an email address associated with any user's name.

The researcher also found that knowing an email address, it is possible to obtain tokens of authentication that allow capturing user records without the need to enter a password. This vulnerability applies not only to regular user records but also to administrative ones.

BobDaHacker informed Lovense about these vulnerabilities in early 2025, receiving $3,000 for it through the HackerOne platform. After three lengthy negotiations with the company's representatives, Lovense stated that fixing one of the vulnerabilities could take up to 14 months, since fixing the term required updating the software security for all users.

These security issues have caused concern, especially among models on cameras who use the Lovense platform for work and could be at risk if their personal data is revealed.

Lovense did not respond to requests for comment.

Tags: Technology