 (2).png){kind=logo}
4 days ago
5
Lovense, the shaper of internet-connected enactment toys, near idiosyncratic emails exposed for months — adjacent aft it became alert of the vulnerability. In a blog post spotted by TechCrunch and Bleeping Computer, information researcher BobDaHacker recovered that they could “turn immoderate username into their email address,” which they could past usage to instrumentality implicit someone’s account.
Though BobDaHacker initially disclosed this vulnerability to Lovense successful March, the researcher claims Lovense waited months earlier fixing it, and inactive hasn’t afloat addressed the issue. Lovense is down a scope of enactment toys that users tin link to the net and remotely power via its app, which came nether occurrence for a “minor bug” successful 2017 that recorded users’ enactment sessions.
As outlined successful BobDaHacker’s post, the information researcher noticed thing unusual successful the app’s API effect erstwhile muting someone: it presented their email address. BobDaHacker past figured retired that they could instrumentality vantage of this vulnerability by sending a modified petition to Lovense’s servers, tricking it into returning the people user’s email address.
BobDaHacker adjacent developed a publication that they accidental tin person someone’s username into an email code successful little than a second. “This is particularly atrocious for cam models who stock their usernames publically but evidently don’t privation their idiosyncratic emails exposed,” BobDaHacker writes. To marque matters worse, BobDaHacker aboriginal discovered that they could instrumentality implicit a user’s relationship with their email code and an authentication token generated by Lovense.
BobDaHacker initially reported these vulnerabilities successful concern with the Internet of Dongs, a radical that aims to marque internet-connected enactment toys much secure. However, the information researcher says Lovense didn’t instantly hole the issue. Instead, Lovense claimed that the relationship takeover bug was fixed successful April, adjacent though BobDaHacker said it wasn’t, and that a hole for the email leak contented would instrumentality 14 months to rotation out.
“We besides evaluated a faster, one-month fix. However, it would necessitate forcing each users to upgrade immediately, which would disrupt enactment for bequest versions,” Lovense said, according to BobDaHacker. As noted by BobDaHacker, information researchers reported the aforesaid relationship takeover bug to Lovense successful 2023, but the institution appears to person closed the bug without really fixing it.
In a connection to Bleeping Computer, Lovense says it has submitted an app update “addressing the latest vulnerabilities” to app stores. “The afloat update is expected to beryllium pushed to each users wrong the adjacent week,” Lovense says. “Once each users person updated to the caller mentation and we disable older versions, this contented volition beryllium wholly resolved.” Lovense didn’t instantly respond to The Verge’s petition for comment.
English (US) ·