A cybersecurity researcher has identified critical vulnerabilities in the Lovense app, which exposes millions of users to email ID leaks and account takeovers. The incident comes on the heels of a major data breach at Tea, an app that allows women to anonymously comment and review dates with men.
According to BobDaHacker, the anonymous researcher who published their findings, anyone who has created an account on Lovense may have been potentially affected due to two in-app security flaws. The vulnerabilities allowed threat actors to harvest emails from public username lists, putting cam models at risk of having their personal emails exposed.
The researcher reported that they first brought the security flaws to Lovense’s notice in March and won a $3,000 reward through a bug bounty program. However, the company reportedly requested 14 months to fix the flaws, which led them to publish their findings in the public domain.
Lovense has since addressed the account takeover bug and plans to roll out a software patch for the email disclosure bug within the next week. The incident highlights the risks associated with using IoT-based sex toys, including privacy violations and device lock-ins.
Source: https://indianexpress.com/article/technology/tech-news-technology/sex-toy-maker-lovense-left-millions-of-users-vulnerable-to-email-id-leaks-account-takeovers-10159177