Hackers could doxx victims using smart sex toy app
Researchers found a way to extract email addresses from Lovense user accounts
A mitigation was released, but allegedly it’s not working as intended
The company claims it still needs months before plugging the leak
Lovense, a sex tech company specializing in smart, remotely controlled adult toys, had a vulnerability in its systems which could allow threat actors to view people’s private email addresses.
All they needed was that person’s username and apparently – these things are relatively easy to come by.
Recently, security researchers under the alias BobDaHacker, Eva, Rebane, discovered that if they knew someone’s username (maybe they saw it on a forum or during a cam show), they could log into their own Lovense account (which doesn’t need to be anything special, a regular user account will suffice), and use a script to turn the username into a fake email (this step uses encryption and parts of Lovense’s system meant for internal use).
That fake email gets added as a “friend” in the chat system, but when the system updates the contact list, it accidentally reveals the real email address behind the username in the background code.
