Lovense Security Flaws Expose User Emails and Enable Takeovers
A security researcher revealed two unpatched Lovense vulnerabilities that leak private user emails during app interactions and allow full account takeover via token generation. Cam models’ personal safety is at risk as attackers could control devices or expose identities. Patches remain delayed by 14 months.
Security Researchers Uncover Flaws
On Monday, researcher BobDaHacker publicly disclosed two critical vulnerabilities in Lovense’s internet-connected sex toys. Despite reporting these issues to the company on March 26 via the “Internet of Dongs” disclosure program, the flaws remain only partially patched. Lovense cited a 14-month timeline for a comprehensive fix—far exceeding the three-month industry standard.
Email Exposure Vulnerability
When users interact—muting or messaging—within the Lovense app, the system leaks other users’ email addresses in network traffic. While the app UI hides these emails, any network analysis tool will reveal them. By automating modified requests, an attacker can match any username to its registered email in under a second.
- Leaked via unencrypted API calls during routine app interactions
- Exposes cam models and public personalities who share usernames
Account Takeover Risk
A second vulnerability enables creation of valid authentication tokens with only the user’s email address. Attackers bypass passwords entirely, gaining full control over accounts and connected devices. For cam models and private users alike, this risk isn’t just digital—it can lead to extortion, reputational harm, or unwanted device lock-ins.
- No password needed—tokens generated via a simple API call
- Remote control of devices as if attacker were the legitimate user
Response and Broader Implications
Lovense received a $3,000 bounty via HackerOne but pushed back on a one-month hotfix, citing legacy device compatibility. Security experts warn that Internet-connected intimate devices demand rapid updates and end-to-end encryption to protect users’ privacy and safety.
This episode underscores a critical lesson: IoT security cannot lag behind innovation. Just as cars and medical devices require robust safety protocols, any connected personal device must be built with security by design. Delays in patching risk real-world harm and erode user trust.
QuarkyByte’s analysts recommend comprehensive threat modeling for every API endpoint, encrypted data flows across networks, and automated vulnerability scans before deployment. By simulating real-world attack scenarios, organizations can detect leaks and token vulnerabilities proactively and avoid lengthy remediation cycles.
Keep Reading
View AllAI-Driven Crypto Scams Surge 456%
AI deepfakes drive a 456% surge in crypto scams, costing victims billions. Discover why fraud is spiking and how to strengthen defenses.
Tea App Data Breach Exposes 72,000 User Images
Tea, a women's safety dating app, suffered a breach exposing 72,000 images, including selfies and IDs, with potential access to private messages.
Dating App Tea Breach Exposes Users’ IDs and Messages
Tea, a women’s ‘red flag’ dating app, suffered a severe data breach on Firebase exposing selfies, driver’s licenses, and private chats to hackers.
AI Tools Built for Agencies That Move Fast.
QuarkyByte’s IoT security experts help connected-device makers strengthen firmware defenses, automate threat detection, and accelerate patch rollouts. Let us guide your team through risk assessments, secure architecture reviews, and real-world remediation plans to safeguard user privacy and trust.