Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A security searcher says sex toy manufacturer failed two safety defects that expose private email address of their users and allow the account of any user.
The researcher, which goes from the bobdahacker handle, Published Details of Bugs Monday Then mentugee said that I would need 14 months to fix the faults in order not inconvenience the users of some of their legacy products.
Loveense is one of the largest early sex play connecting, and if he says More than 20 million users. I am The company made titles in 2023 to become one of the first sexual toys manufacturers To integrate chartpt in their products. I am
But the inherent security risks in connection of sex to the internet can place users at the risk of real world if something goes wrong, including lock instrument and it Made of data privacy. I am
Bobdahacker said they have discovered that lovends has stopped the email addresses for the app. Although the email addresses of other users were visible to the app, someone using the network assignment of the net for app for the app
Checking the network request by logged in, Bobdahacker said that could associate any recorded email address, exposes each customer that has signed in to identifiable email address.
“This was especially glub for the Model Cams that share their users need their users, but obviously they do not want their emails
Techcrunnch checked this bug by creating a new account on Loveense and asking Bobdahacker to reveal our registered email, who have made in about a minute. In automate the process with a computer scope of computer, researcher said they could get the email address of a user in less than one second.
Bobdahacker said a second vulnerability allowed them to take the lentus user’s account using only his email address, that it could be derived from the bug first. This bug allows someone creating authentication tokens to access an alcohense account without needing a password, which allowes an attacker to control the account as if they were the real user.
“Cam models of wages these instruments, so was an enimary tim. Literally could remove any account just knows the email address” he said Bobahacker.
The bugs affect someone with an account or lens device.
Bobdahacker disclosed the bugs to lovely on March 26 Dongs Interneta project that is on purpose of improving security and privacy of sex toys, and help Report and disclose defects to device producers. I am
According to Bobdahacker, were awarded a total of $ 3,000 via Bug Bug Buggy Sito Hackerone. But after several weeks of constant and the bugs were fixed, the researcher who woke up this week after voicemail. Request 2 months to fix the defects. (Safety Saturally grant three months or menu to solve a security bug.) The company’s reproduction, to update the oldest products to update their apps
The researcher has notified the company in front of the disclosure, for an email viewed by Techcrunch. BobdahaCerker said in a blog post update that bug may have been identified by another finds 2023, but the b b. But the b. Buc was also extended without a race.
Lovvens did not answer an email from techcrunnch.
