The connected sex toy platform Lovense is vulnerable to a zero-day flaw that allows an attacker to get access to a member's email address simply by knowing their username, putting them at risk of doxxing and harassment. Lovense ultimately fixed the account hijack flaw in July but stated that it would take approximately 14 months to resolve the email flaw, as it would break compatibility with older versions of their app. However, the problem is that the real JID is constructed using the user's actual email, in the format username!!!domain.com_w@im.lovense.com, allowing attackers to extract the victim's email address. However, the connected experience can also expose their Lovense username, and due to this flaw, potentially reveal their private email address. In April, after also submitting the bugs on HackerOne, Lovense informed the researchers that the email issue was already known and fixed in an upcoming version. The company initially downplayed the account hijacking flaw, but after being told it could allow full admin account access, Lovense reclassified it as critical. The server responds with data containing a fake email address, which the researcher converted into a fake Jabber ID (JID) used by Lovense's XMPP server. In 2016, multiple Lovense flaws exposed email addresses or allowed attackers to determine if an email address had an accoune at Lovense. The researcher also claims that the FanBerry extension, created by Lovense, and the Tophy app can be used to harvest usernames, making wide-scale email harvesting possible. While Lovense has mitigated this flaw by rejecting the tokens on its APIs, the researchers noted that gtokens can still be generated without a password. The attacker then takes any publicly known Lovense username and encrypts it using the retrieved encryption keys. BleepingComputer created a fake account today and shared our username with BobDaHacker, allowing them to simply connect as a friend and return the email we registered with. Using these tokens, an attacker could impersonate a user on Lovense platforms, including Lovense Connect, StreamMaster, and Cam101. "We've launched a long-term remediation plan that will take approximately ten months, with at least four more months required to fully implement a complete solution," Lovense told the researcher. The flaw was discovered by Canadian security researcher BobDaHacker, who collaborated with researchers Eva and Rebane to reverse engineer the app and automate the attack. Lovense is an interactive sex toy manufacturer, best known for producing app-controlled sex toys with names like the Lush, the Gush, and, perhaps most boldly, the Kraken. The vulnerability stems from the interaction between Lovense's XMPP chat system, used for communication between users, and the platform's backend.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 29 Jul 2025 02:40:16 +0000