Particle.news
Download on the App Store
9 ARTICLES
·
5h ago

Lovense Patches Account Takeover Bug While Email Leak Remains Unfixed

Researchers warn the flaw still exposes private emails as Lovense embarks on a 10- to 14-month fix to avoid breaking older apps.

Female vibrator lush lovense on pink background with usb charging
A security flaw in a sex toy app exposed users' email addresses (Representational image)
Image
The Lovense remote-control app is seen on a phone screen in a darkened room.

Overview

  • The zero-day email disclosure flaw, reported in March, allows attackers to derive users’ private addresses in under a second by exploiting a public username in the app’s XMPP-based API.
  • Lovense fully patched the gtoken-based account-takeover vulnerability in early July and deployed a proxy mitigation, though researchers say previous fixes were repeatedly claimed before proving ineffective.
  • With an installed base of roughly 20 million users—including cam performers who often share usernames publicly—the unresolved email leak poses prolonged risk of doxxing and targeted harassment.
  • Lovense has opted for a long-term remediation plan, estimating a 10- to 14-month timeline to prevent legacy app breakage rather than enforcing immediate upgrades.
  • Security experts contend the drawn-out path to a permanent fix underscores broader IoT privacy challenges and urge Lovense to prioritize user protections over backward compatibility.