Lovense App Flaw Exposed Users’ Emails and Enabled Hijacks
Security researcher BobDaHacker uncovered a flaw in Lovense’s internet-connected sex toy app that leaked user emails through its API. By converting usernames into email addresses, attackers could hijack accounts using an authentication token. Although reported in March, Lovense delayed a full fix until a phased app update.
Lovense, the maker of internet-connected sex toys, faced renewed scrutiny after security researcher BobDaHacker revealed an API flaw that publicly exposed user email addresses. Even more alarming, this leak could be paired with an authentication token to fully hijack user accounts.
The Vulnerability Uncovered
In March, BobDaHacker noticed that when muting another user in the Lovense app, the API response included that user’s email address. By tweaking the request payload, the researcher demonstrated a script that could convert any public username into its associated email in under a second.
- Send a modified mute API request targeting a known username.
- Parse the response to extract the user’s email address.
- Combine the email with a valid auth token to take over the account.
Implications for Users
This vulnerability poses serious privacy risks, especially for cam models and performers who often promote their usernames publicly but wish to keep personal contact details private. Exposed email addresses can lead to spam, phishing campaigns, and full account takeovers.
Delayed Fix and Response
Despite an initial disclosure in March—submitted alongside the Internet of Dongs advocacy group—Lovense did not fully remediate the issue until July. The company rolled out a phased update, citing compatibility challenges with legacy app versions and a planned 14-month timeline for a complete rollout.
Strengthening API Security
APIs are gateways to user data, and even minor oversights can have outsized consequences. Best practices include rigorous endpoint validation, rate limiting, and automated penetration tests that simulate real-world exploits to catch leaks before they reach production.
Organizations working with sensitive consumer platforms must adopt continuous monitoring, immediate patch cycles, and transparent disclosure processes. By integrating security into the software lifecycle, teams can rapidly detect and resolve vulnerabilities, maintaining user trust and compliance.
Keep Reading
View AllNordVPN Adds Scam Call Protection for Android
NordVPN now offers scam call protection for US Android users, analyzing metadata to flag malicious calls. Discover setup steps and security benefits.
Major Data Breach Exposes 72K Images on Tea Dating App
Tea app leak exposed 72,000 user images including IDs, selfies and DMs through an old data system vulnerability, sparking privacy concerns.
Google and Meta Confirm No UK Encryption Backdoor Demands
UK government retreats from secret backdoor demand after US pressure. Google and Meta confirm they haven’t received such orders. Senator Wyden calls for transparency on surveillance risks.
AI Tools Built for Agencies That Move Fast.
QuarkyByte’s security specialists simulate real-world API attacks to pinpoint hidden data leaks and unauthorized access paths. Organizations can partner with us for focused security audits and rapid remediation plans that prevent user data exposure and accelerate trustworthy patch deployments.