According to two important security failures for several months, the Lovense Connected sex toy manufacturer has not yet corrected them. In a blog article published at the end of July and seen by the TechCrunch specialized site, a security researcher explains that these vulnerabilities exhibit user email addresses and, worse, allows them to take control of their accounts.
More than 20 million people worldwide are affected. Known under the bobdahacker pseudonym, he discovered these defects when he used the application. By silence, a user realized that he revealed his email address.
A simple and fast process
Then, the researcher discovered how to expose the email addresses of all users, a simple and fast process. “The whole process took approximately 30 seconds by username manually. Thanks to the script (computer program, editor’s note) that we create to automate it, the conversion of a username to email address has taken less than a second,” said Bobdahacker.
Then, the researcher discovered that with a simple email address, it was possible to take control of the user’s account. More specifically, the second defect allows anyone to create authentication tokens to access a LOVENS without password.
“The CAM models use these tools to work, therefore, it was a real asset. Anyone could take control of an account simply knowing their email address,” the researcher deplored.
14 months to correct failures
Bobdahacker reported the two defects in Lovense last March. The company then assured him that he was working on his correction. At the same time, the researcher also revealed the existence of these vulnerabilities to the Hackerone site, which offers bonds for the discovery of errors. He received a $ 3,000 bonus.
But the most important thing for him was if Lavense had corrected the two defects, which was not the case. After several weeks of discussion, he returned the public issue this week, revealing that the manufacturer had informed him that he would need 14 months to correct vulnerabilities.
“After your report, we have conducted an in -depth survey and implemented initial corrective measures. (…) However, the resolution of the deep cause requires more architecture work.
In his message, the company also explained that it had a faster solution, of a month, to correct the failures, but that it would force users to update the application while disturbing the administration of the old versions of the application. Reason why she has surrendered.
Did it fail soon corrected?
Still in his blog article, Bobdahacker has revealed that the fault that allowed to take control of the accounts had already been identified by a researcher almost two years ago. Known under the pseudonym Krissy, he assured him to discover this vulnerability in September 2023 with another researcher.
He had also pointed out the defect in Lovense, who claimed to have corrected her. To date, the manufacturer claims to have solved the two problems. With TechCrunch, he said that the acquisition error was now completely resolved and that the other defect would be corrected in an update that should be implemented for all users next week.
Source: BFM TV
