Independent security researchers have uncovered two critical vulnerabilities in Lovense’s platform that could compromise personal data of over 20 million users worldwide. The interactive intimate device manufacturer’s security flaws enable attackers to harvest user email addresses and execute complete account takeovers, raising serious privacy concerns for users of these sensitive devices.
Technical Analysis of Discovered Security Flaws
A comprehensive security audit conducted by researchers BobDaHacker, Eva, and Rebane in March 2024 revealed significant weaknesses in Lovense’s application infrastructure. The vulnerabilities stem from improper implementation of the interaction between the XMPP-based chat system and the platform’s server-side components.
The first vulnerability allows complete account hijacking, while the second enables email address extraction using only publicly available usernames. This combination creates a particularly dangerous attack vector, especially considering that Lovense usernames are frequently shared publicly by webcam models who integrate these devices into their professional activities.
Email Harvesting Attack Vector Breakdown
The email extraction vulnerability follows a sophisticated multi-step process that exploits the platform’s authentication and messaging systems. Attackers initiate the process by sending a POST request to the /api/wear/genGtoken API endpoint to obtain authentication tokens and AES-CBC encryption keys.
The target username is then encrypted using the acquired keys and transmitted through the /app/ajaxCheckEmailOrUserIdRegisted endpoint. The server responds with data containing a fabricated email address, which gets converted into a Jabber ID for Lovense’s XMPP server. When the attacker adds this fake JID to their contact list and sends a subscription request, the system inadvertently reveals the genuine JID containing the actual user email address in the format [email protected].
Automation Capabilities and Attack Scale
Security researchers confirmed that the attack can be fully automated, with email extraction for a single user taking less than one second using specialized scripts. Critically, victims do not need to accept friend requests from attackers for the vulnerability to be successfully exploited, making the attack completely passive from the target’s perspective.
The threat is amplified by Lovense’s FanBerry extension, which can facilitate mass collection of usernames. Many content creators use identical usernames across multiple platforms, simplifying user identification and enabling targeted attack campaigns across different services.
Corporate Response and Remediation Timeline
Despite researchers notifying Lovense about both vulnerabilities on March 26, 2024, the company’s response has been problematic. Initially, Lovense attempted to downplay the severity of the account takeover vulnerability. Only after researchers demonstrated successful access to administrative accounts did the company classify it as critical.
As of July 2024, Lovense has addressed only the critical account takeover vulnerability. The company claims that fixing the email harvesting issue will require approximately 14 months due to backward compatibility requirements with legacy application versions.
Historical Pattern of Security Issues
This incident represents part of a concerning pattern of security failures at Lovense. In 2017, researchers discovered that the application was recording all audio during device usage, storing files in local mobile device directories. The company dismissed this as a “minor bug.”
ESET security experts identified multiple vulnerabilities in 2021, including the ability to brute-force connection tokens for Lovense devices. This history suggests systemic cybersecurity challenges within the organization rather than isolated incidents.
The discovered vulnerabilities highlight the critical importance of robust security measures for intimate device manufacturers. Companies operating in this sensitive sector must prioritize comprehensive cybersecurity frameworks and implement rapid response protocols for vulnerability disclosures. Given the highly personal nature of the data involved, security breaches can have severe consequences for user privacy, safety, and reputation, making proactive security measures not just advisable but essential for maintaining user trust and regulatory compliance.
