Particle.news
Download on the App Store
7 ARTICLES
·
6d ago

Lovense Patches Account Takeover Flaw, Delays Email-Exposure Bug Fix

Lovense says it requires a 14-month remediation schedule to fix the email-exposure vulnerability without disrupting older app versions.

Female vibrator lush lovense on pink background with usb charging
Image
The Lovense remote-control app is seen on a phone screen in a darkened room.
Image

Overview

  • Researchers led by BobDaHacker disclosed two zero-day vulnerabilities in Lovense’s connected app on March 26, 2025, via HackerOne and the Internet of Dongs.
  • Lovense deployed a patch in early July that fully remediated the token-based account takeover flaw after repeated false fix claims.
  • The unpatched email-exposure bug lets attackers retrieve private user addresses in under a second by exploiting an XMPP API using only publicly known usernames.
  • With more than 20 million customers and widely shared cam model usernames, users remain at heightened risk of doxxing and account compromise.
  • Security experts criticize Lovense’s choice to prioritize legacy app compatibility over a faster, more secure one-month fix.