The linked intercourse toy platform Lovense is susceptible to a zero-day flaw that enables an attackerĀ to get entry to a member’s e-mail deal with just by realizing their username, placing them susceptible to doxxing and harassment.
Lovense is an interactive intercourse toy producer, greatest identified for producing app-controlled intercourse toys with names just like the Lush, the Gush, and, maybe most boldly, the Kraken. The corporate claims to have 20 million prospects worldwide.
Whereas Lovense toys are generally used for each native and long-distance leisure, they’re additionally common amongst cam fashions who permit viewers to tip or subscribe for distant management of their toys.
Nevertheless, the linked expertise may also expose their Lovense username, and as a result of this flaw, doubtlessly reveal their personal e-mail deal with.
Lovense usernames are sometimes publicly shared on boardsĀ and social media, making them straightforward targets for attackers.
The flaw was found by safety researcher BobDaHacker, who collaborated with researchers Eva and Rebane to reverse engineer the app and automate the assault.
The researchers disclosed two flaws over 4 months in the past, on March 26, 2025. Nevertheless, solely one of many flaws, a crucial account hijacking flaw, was subsequently mounted.
The Lovense flaws
The vulnerability stems from the interplay between Lovense’s XMPP chat system, used for communication between customers, and the platform’s backend.
“So it began after I was utilizing the Lovense app and muted somebody. That is it. Simply muted them,” explains BobDaHacker’s report.
“However then I noticed the API response and was like… wait, is that an e-mail deal with? Why is that there? After digging deeper, I discovered find out how to flip any username into their e-mail deal with.”
To use the flaw, an attacker makes a POST request to the /api/put on/genGtoken API endpoint with their credentials, which returns a gtoken (authentication token) and AES-CBC encryption keys.
The attacker then takes any publicly identified Lovense username and encrypts it utilizing the retrieved encryption keys. This encrypted payload is shipped to the /app/ajaxCheckEmailOrUserIdRegisted?e-mail={encrypted_username} API endpoint.
The server responds with knowledge containing a pretend e-mail deal with, which the researcher transformed right into a pretend Jabber ID (JID) utilized by Lovense’s XMPP server.
By including this pretend JID to their XMPP contact checklist and sending a presence subscription over XMPP (just like a pal request), the attacker can refresh the roster (contact checklist), which now contains each the pretend JID and the true one related to the goal’s account.Ā
Nevertheless, the issue is that the true JID is constructed utilizing the person’s precise e-mail, within the format username!!!area.com_w@im.lovense.com, permitting attackers to extract the sufferer’s e-mail deal with.
For instance, if it returned bleeping!!!instance.com_w@im.lovense.com, the ensuing precise e-mail of the Lovense account is bleeping@instance.com.
The researchers confirmed that the complete course of may be accomplished in lower than one second per person with a script. BleepingComputer created a pretend account in the present day and shared our username with BobDaHacker, permitting them to easily join as a pal and return the e-mail we registered with.
The researcher additionally acknowledged that it isn’t mandatory to just accept a pal request to use the flaw.
BleepingComputer additionally confirmed that it’s comparatively straightforward to search out respectable usernames on boards and Lovense-related websites, like lovenselife.com.
The researcher additionally claims that the FanBerry extension, created by Lovense, can be utilized to reap usernames, making wide-scale e-mail harvesting attainable.
The researchers additionally found a crucial vulnerability that allow them fully hijack an account.
Utilizing solely an e-mail deal with, an attacker might generate authentication tokens without having a password. Utilizing these tokens, an attacker might impersonate a person on Lovense platforms, together with Lovense Join, StreamMaster, and Cam101.
These tokens reportedly labored on admin accounts as nicely.
Whereas Lovense has mitigated this flaw by rejecting the tokens on its APIs, the researchers famous that gtokens can nonetheless be generated with out a password.
Each points have been reported to Lovense on March 26, 2025. In April, after additionally submitting the bugs on HackerOne, Lovense knowledgeable the researchers that the e-mail problem was already identified and glued in an upcoming model.
The corporate initially downplayed the account hijacking flaw, however after being advised it might permit full admin account entry, Lovense reclassifiedĀ it as crucial.
In complete, the researchers obtained $3,000 for the disclosure of the issues.
On June 4, the corporate claimed the issues have been mounted, however the researchers confirmed this was not the case. Lovense finally mounted the account hijack flaw in July however acknowledged that it might take roughly 14 months to resolve the e-mail flaw, as it might break compatibility with older variations of their app.
“We have launched a long-term remediation plan that can take roughly ten months, with not less than 4 extra months required to totally implement an entire resolution,” Lovense advised the researcher.
“We additionally evaluated a sooner, one-month repair. Nevertheless, it might require forcing all customers to improve instantly, which might disrupt help for legacy variations. We have determined in opposition to this strategy in favor of a extra steady and user-friendly resolution.”
The researchers criticized this response, stating the corporate repeatedly claimed the problems have been mounted once they weren’t.
“Your customers deserve higher. Cease placing previous app help over safety. Really make things better. And take a look at your fixes earlier than saying they work,” BobDaHacker wrote within the report.
In 2016, a number of Lovense flaws uncovered e-mail addresses or allowed attackers to find out if an e-mail deal with hadĀ an accoune at Lovense.
BleepingComputer reached out to Lovense for remark however didn’t obtain a response.
Comprise rising threats in actual time – earlier than they affect your corporation.
Find out how cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
