Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A protective researcher says that sexually toy manufacturer Lovance reveals its users’ personal email address and failed to fully fix two security errors that allow any user account to take account.
The researcher, who goes through the handle boddhykar, Published on Monday Bagh details After claiming Lowens will require 14 months to fix the defects so that some of its successive product users cannot be inconvenient.
Lowens is one of the largest manufacturers of internet-connected sex toys and it seems to be More than 20 million usersThe The company made the title in 2023 to be one of the first sex toy manufacturers To integrate the ChatzPT to its productsThe
However, the underlying security risks of connecting sex toys to the Internet can be at risk of real-world loss if something goes wrong. Device Lock-In And Data Privacy leakedThe
Bobadkaikar said they discovered that Lavance was leaking email addresses of other people while using the app. Although the email addresses of other user were not visible to users in the application, anyone who used the network analysis equipment to inspect the data flowing in the application will see another user’s email address, such as mute them.
Refunding the network request from the log-in account, Bobdamakar said they could associate any boyfriend username with their registered email address, potentially a customer who has signed up to Lovance with an identified email address.
Bobadakhakar wrote in their blog post, “It was especially bad for the CAM models who would open their user names publicly, but obviously did not want to open their personal emails,” Bobadhakar wrote in their blog post.
TechCrunch creates a new account in Lovance and tells Bobadhakhakar to publish our registered email address this bug, which they did in about a minute. The researcher automated the process with a computer script stated that they could get a user’s email address in less than a second.
Bobdamakar said that the second weakness allows them to accept any profit user’s account by simply using their email address, which can be obtained from the previous bug. This bug that allows someone to create authentication token to access a lover account without the need for password, allowing the attacker to control the account remotely so that they are real users.
“CAM models use these tools for work, so it was a huge deal. Literally anyone who can only take an account of the email address can take an account,” said Bobadhakar.
The bugs affect anyone with boyfriend account or device.
Boddhykhakar expressed the bugs through Lovans through March 26th DosA project that aims to improve the protection and privacy of sexual toys and helps Report and reveal the device manufacturers’ errorsThe
According to Bobdhacker, their bug bounty site hacker was awarded a total of $ 3,000 award. However, after arguing for several weeks back and forward, after arguing whether the bugs were actually fixed, the researcher came publicly this week to request that Lovanse was to solve 14 months of errors. (Protection researchers usually grant the safety bugs before approaching the public with their search))
The researcher informed the company before publishing an email seen by TechCrunch. In a blog post update on Tuesday, Bobadakhakar said that the bug was identified by another researcher until September 2023, but the bug was allegedly closed without any right.
Lovance did not respond to any of TechCrunch’s email.