A Lovense security flaw may be letting people take over accounts without a password

Sex toy company Lovense is leaking the email addresses of its app users and allowing account takeovers without asking for a password, according to a security researcher. As reported by TechCrunch, BobDaHacker, who describes themself as an ethical hacker committed to exposing and reporting security vulnerabilities, published an extensive report in which they accuse Lovense of failing to fix a serious bug it was first made aware of in 2023.

According to the hacker (and later verified by TechCrunch), Lovense allows any username to be turned into their email address with the right know-how, a flaw they initially discovered after muting someone on the app. With their access to Lovense’s API, they were able to obtain the emails associated with any public username in less than a second when running the modified request process through an automated script. They noted that the vulnerable nature of these accounts is "especially ...