Lovense: The Company That Lies to Security Researchers
9 months ago
- #privacy
- #vulnerability
- #security
- Lovense app had two critical vulnerabilities: email disclosure and account takeover.
- Email disclosure allowed converting any username to an email address via API and XMPP manipulation.
- Account takeover allowed generating auth tokens with just an email, no password required.
- Lovense initially downplayed the severity and took months to implement partial fixes.
- Researchers found the same account takeover bug was reported and allegedly fixed in 2023, but wasn't.
- Lovense lied to researchers and the press about fixes and misrepresented the vulnerabilities.
- The company prioritized legacy app support over user privacy and security.
- Vulnerabilities still existed months after being reported, exposing user emails and accounts.