Lovense Security Flaws Raise Major Concerns Over User Privacy
Lovense, a popular sex toy maker known for its internet-connected devices, is under fire after a researcher revealed two severe security flaws that could compromise the privacy and safety of its users. These vulnerabilities not only exposed the email addresses of millions of users but also enabled full account takeovers—raising serious concerns about the security of connected sex tech devices. With over 20 million global users, the implications are wide-reaching. The Lovense security flaws have highlighted the urgent need for improved safeguards in the sex tech industry, especially as these tools become increasingly integrated with AI and other smart features.
Image Credits:Eugenia Shulim / Getty Images
How the Lovense Security Flaws Exposed User Emails
The first flaw, as discovered by an independent researcher known as BobDaHacker, involved a significant privacy breach that allowed attackers to retrieve private user email addresses. While these emails weren’t directly visible within the Lovense app interface, anyone with basic networking tools could intercept data and extract email information during user interactions like muting someone. That means users—especially sex workers and cam models—were unknowingly leaking their personal information simply by using the app’s social features.
By modifying network requests through simple interception, attackers could associate Lovense usernames with email addresses. This risk was especially damaging for those who publicly advertise their usernames but rely on the platform to keep their email addresses confidential.
Account Takeovers Made Possible Through a Second Major Bug
The second of the Lovense security flaws is arguably more dangerous. Once an attacker had access to a user’s email address, they could exploit another vulnerability to take full control of that account—without even needing a password. This flaw involved the unauthorized generation of authentication tokens, allowing an attacker to impersonate the actual user. From there, they could control connected devices remotely, view chat history, or change account settings—all without the real user knowing.
This vulnerability put everyone at risk—from casual users to sex workers who depend on Lovense products for their income. According to BobDaHacker, this issue affected every single Lovense account or device. “Cam models use these tools for work, so this was a huge deal,” they explained. The risk wasn’t just digital—it could translate into real-world consequences, especially when the devices involved control physical stimulation remotely.
Lovense’s Response and the Broader Implications for Sex Tech Security
Lovense acknowledged the flaws but said it would take up to 14 months to issue a full fix, citing concerns about breaking compatibility with legacy products. This lengthy timeline has drawn criticism, as users remain vulnerable during this extended window. BobDaHacker initially disclosed the vulnerabilities to Lovense via the Internet of Dongs project, a group dedicated to improving sex toy security. Despite receiving $3,000 through HackerOne, the researcher decided to go public after Lovense failed to provide timely patches or user warnings.
The Lovense security flaws shine a spotlight on the broader problem of weak cybersecurity in the sex tech industry. As more adult devices go online and integrate with AI tools like ChatGPT, security must be more than an afterthought—it must be built in from the start. Privacy and consent are central to the use of these products, and any breach of that trust could result in psychological, reputational, and financial harm. This incident emphasizes the urgent need for companies to adopt better security practices, offer clear transparency, and prioritize the safety of their users over maintaining backward compatibility.
Post a Comment