A Lovense security flaw may be letting people take over accounts without a password

Sex toy company Lovense is leaking the email addresses of its app users and allowing account takeovers without asking for a password, according to a security researcher. As reported by TechCrunch, BobDaHacker, who describes themself as an ethical hacker committed to exposing and reporting security vulnerabilities, published an extensive report in which they accuse Lovense of failing to fix a serious bug it was first made aware of in 2023.

According to the hacker (and later verified by TechCrunch), Lovense allows any username to be turned into their email address with the right know-how, a flaw they initially discovered after muting someone on the app. With their access to Lovense’s API, they were able to obtain the emails associated with any public username in less than a second when running the modified request process through an automated script. They noted that the vulnerable nature of these accounts is "especially bad for cam models" who use the Lovense platform for work, and may share their usernames for these purposes.

The researcher also realized that with a user’s email address (either one you already know or one obtained using the aforementioned disclosure bug), they could generate auth tokens that allowed them to take over the associated account without a password. This allegedly worked for the Lovense Chrome Extension and Lovense Connect app, as well as the company’s Cam101 and StreamMaster software — and even admin accounts.

BobDaHacker said they initially reported the bugs to Lovense with assistance from the sex tech hacking project The Internet Of Dongs in March 2025, and received $3,000 in total for flagging them via the HackerOne security platform. After a series of interactions with Lovense representatives, they were told in early June that the account takeover bug had been fixed during the previous month, which the researcher claims is not true. Regarding the email disclosure flaw, Lovense said in a statement printed by BobDaHacker that it could take up to 14 months to fix the issue, as a faster one-month fix would "require forcing all users to upgrade immediately," which it said would "disrupt support for legacy versions."

The researcher went on to say that they were contacted by a Twitter user who claimed to have found the same account takeover bug as far back as 2023, and were told shortly after reporting it to Lovense that the bug had been resolved, which wasn’t the case. They said a patch eventually fixed their method, which used an HTTP endpoint to convert a username into an email address, but that it wasn’t rolled out until early 2025. BobDaHacker said they had requested comment from Lovense but at the time of writing had not received one.

This isn’t the first time Lovense users have stumbled upon privacy concern bugs. In 2017, a Redditor discovered that the Lovense app, which allows users to control their sex toys remotely, was recording audio without their consent and saving it to their phone. A commenter on the Reddit post, who claimed to be a Lovense representative, called the recordings a "minor software bug" that affected the Android version of the app and said at the time that it had been fixed in an update.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/a-lovense-security-flaw-may-be-letting-people-take-over-accounts-without-a-password-160528730.html?src=rss https://www.engadget.com/cybersecurity/a-lovense-security-flaw-may-be-letting-people-take-over-accounts-without-a-password-160528730.html?src=rss