Sex toy maker Lovense caught leaking users’ email addresses and exposing accounts to takeovers (1)

Posted on by Dissent

This post has been updated to include a statement from Lovense, which appears in its entirety below the original post.

Zack Whittaker reports:

A security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email addresses of its users and allow the takeover of any user’s account.

The researcher, who goes by the handle BobDaHacker, published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy products.

Lovense is one of the largest makers of internet-connected sex toys and is said to have more than 20 million users. The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products.

Read more at TechCrunch.

Updated August 1: Lovense has sent DataBreaches a statement by Dan Liu, their CEO:

Statement Regarding Recent Lovense Security Vulnerabilities
Statement from the CEO of Lovense

At Lovense, maintaining the trust of our customers and partners is our highest priority. We are aware of the recent report regarding security vulnerabilities disclosed by a security researcher. We want to provide clarity on the situation and outline the steps we have taken to address these concerns.

Summary of the Issue

The security researcher identified two vulnerabilities in our systems:

  1. Email Address Exposure: A bug that could potentially expose email addresses associated with Lovense accounts through specific network activity.
  2. Account Takeover Risk: A vulnerability that may allow unauthorized access to accounts using email addresses without requiring passwords.

These vulnerabilities were discovered under controlled conditions by the researcher, who is part of a bug bounty platform we joined in 2018, and not through malicious activity.

We want to reassure our customers that:

  • All identified vulnerabilities have been fully addressed.
  • As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been
    compromised or misused.

Actions Taken

  • The email address exposure vulnerability has been fully resolved, and updates have been deployed to all users. Users must upgrade to the latest version to properly access all functions that may be affected by this vulnerability. While those who do not upgrade will not face security risks, certain features will become unavailable.
  • The account takeover vulnerability has been fixed following verification by our team.
  • In our commitment to privacy and security, we submitted these fixes to the bug bounty platform for further independent testing to ensure the robustness of our solutions. This is standard practice to safeguard user privacy and security.

Response to Timeframe for Fixes

To illustrate our approach, consider Lovense as a complex machine, where each component must function harmoniously for overall safety and reliability. When a faulty gear is identified, we conduct immediate repairs while evaluatingthe entire system to ensure all parts work together seamlessly. Although vulnerabilities relate to email addresses, the conditions triggering those are distinct, which requires tailored solutions and thorough testing. We adopted a dual-track strategy of emergency response and long-term optimization. The originally scheduled long term 14-month system reconstruction plan was completed significantly ahead of schedule due to the team’s dedicated efforts and increased resource allocation. Reducing this comprehensive project to a simple “fixable in two days” is not only misleading but also overlooks the immense work put forth by our team.

Ensuring user safety has always been our core mission, a commitment reflected in our decision to join the HackerOne program in 2018. We are proud to be one of the earliest sex toy companies to have joined this initiative, demonstrating our dedication to user safety. We value the insights provided in the vulnerability disclosure report and appreciate the researcher’s proactive approach. However, we must clarify that any accusations of neglect regarding user safety are unfounded.

Commitment to Data Security

We regret any concern this report may have caused and remain steadfast in protecting user privacy and security. To prevent similar issues in the future, we are:

  • Conducting a comprehensive review of our security practices to proactively identify and resolve potential vulnerabilities.
  • Strengthening collaboration with external security researchers and platforms to enhance detection and response times.
  • Proactively communicating with users about security updates to maintain transparency and trust. We will also be rolling out a statement to users about these vulnerabilities.

In response to the numerous erroneous reports online, our legal team is investigating the possibility of legal action. Thank you for your understanding and continued trust in Lovense.

Kind Regards,

Dan Liu
CEO of Lovense

 

Category: Business SectorExposure