Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A security researcher says that the manufacturer of sex toys Lovense has failed to fully correct two security defects that exhibit the private email address of its users and allow the takeover of the accounts of any user.
The researcher, who goes through the Bobdahacker handle, Published details of bugs on Monday After Lovense said he would need 14 months to repair defects so as not to hinder users of some of his inherited products.
Lovense is one of the largest manufacturers of sex toys connected to the Internet and would have Over 20 million users. The company made the headlines in 2023 to become one of the first creators of sex toys To integrate chatgpt into its products.
But the safety risks inherent in the connection of sex toys to the Internet can put users at risk of real damage if something is wrong, including Lock And Data confidentiality leaks.
Bobdahacker said he discovered that Lovense had the other’s email addresses flee when using the application. Although the email addresses of other users were not visible for users of the application, any person using a network analysis tool to inspect the data entering and leaving the application would see the email address of the other user during interaction with them, such as disinfecting them.
By modifying the network request from a recorded account, Bobdahacker said he could associate any Lovense username with his registered email address, potentially exhibiting any customer who signed up in Lovense with an identifiable email address.
“It was particularly bad for CAM models that share their usernames publicly but obviously do not want their personal emails to be exhibited,” wrote Bobdahacker in their blog article.
Techcrunch checked this bug by creating a new account on Lovense and asking Bobdahacker to reveal our recorded email address, which they did in about a minute. By automating the process with a computer script, the researcher said that he could get a user’s email address in less than a second.
Bobdahacker said that a second vulnerability enabled them to take up the account of any user of Lovense using only his email address, which could be derived from the previous bug. This bug allows anyone to create authentication tokens to access a Lovense account without the need for a password, allowing an attacker to control the account remotely as if he were the real user.
“The cam models use these tools for work, so it was a huge deal. Literally, anyone could resume any account simply by knowing the email address,” said Bobdahacker.
Bogues affect anyone with an account or a Lovense device.
Bobdahacker revealed the bugs in Lovense on March 26 via the Dong Interneta project that aims to improve the safety and confidentiality of sex toys, and help Report and disclose faults to the manufacturers of devices.
According to Bobdahacker, they obtained a total of $ 3,000 via Bug Bounty Hackerone site. But after several weeks of back and forth to contest if the bugs were really corrected, the researcher became public this week after Lovense asked for 14 months to correct the faults. (Security researchers generally grant sellers for three months or less to correct a security bug before returning their results public.) The company declared to Bobdahacker in the same e-mail that he had decided not to against a “faster and one month correction”, which would have required to force customers using older products to upgrade their applications immediately.
The researcher informed the company before disclosure, according to an email seen by Techcrunch. Bobdahacker said on Tuesday in a blog update that the bug had been identified by another researcher in September 2023, but the buckt would have been closed without correction.
Lovense did not respond to a Techcrunch email.
(tagstotranslate) cybersecurity
Source link
