How were the Lovense vulnerabilities discovered?

The vulnerabilities were discovered by security researcher BobDaHacker after noticing an API response contained an email address while using the Lovense app's mute function. This discovery led to the identification of two security flaws in Lovense's XMPP chat system architecture and authentication mechanisms that could be chained together for maximum impact.

What is the account takeover vulnerability in Lovense?

The account takeover vulnerability allows attackers to generate valid authentication tokens (gtokens) using only email addresses without requiring passwords. The attack exploits hardcoded application credentials in Lovense Connect, using the platform's appId and appSecret to create encrypted signatures that authenticate users across multiple Lovense services including Chrome Extension, Connect app, StreamMaster, and Cam101 platform.

How does the Lovense email disclosure vulnerability work?

The email disclosure vulnerability allows extraction of email addresses through a multi-step process. Attackers obtain authentication tokens and encryption keys, encrypt target usernames using AES-CBC encryption, and submit them to retrieve fake email addresses. The critical flaw occurs when these fake emails are converted to XMPP JID format, causing the XMPP server to reveal both fake and real JIDs linked by internal identifiers, exposing the victim's actual email address.

Do the Lovense vulnerabilities have CVE numbers assigned?

No, the Lovense vulnerabilities do not have CVE numbers assigned. Despite the significant privacy and security implications, particularly for vulnerable user populations, these flaws remain without official CVE tracking identifiers.

What Lovense services are affected by the account takeover vulnerability?

The account takeover vulnerability affects multiple Lovense services including the Chrome Extension, Connect app, StreamMaster, and Cam101 platform. The hardcoded application credentials allow attackers to authenticate across this entire ecosystem of connected services using only email addresses.

What should Lovense users do about these vulnerabilities?

Lovense users, particularly those who use the platform professionally like cam models and content creators, should be aware that their email addresses may be discoverable through their usernames and their accounts may be vulnerable to takeover. Users should monitor for unauthorized access and consider the privacy implications when sharing usernames publicly.

What makes the Lovense vulnerabilities particularly concerning?

The vulnerabilities are particularly concerning because they can expose private email addresses of users who rely on privacy for their safety, such as adult content creators who face risks of doxxing and harassment. The ability to take over accounts without passwords also presents significant security risks for users of connected intimate devices.

Advisory

Email disclosure and account takeover flaws reported in Lovense connected sex toy platform

Q: What are the Lovense security vulnerabilities?

Security researchers have reported vulnerabilities in Lovense, a connected adult toy platform, that allow attackers to extract users' private email addresses from usernames and completely take over accounts without passwords. The vulnerabilities were discovered by security researcher BobDaHacker, working with researchers Eva and Rebane.

Q: Have the Lovense vulnerabilities been verified by independent sources?

Yes, TechCrunch verified the email disclosure vulnerability by creating a new account on Lovense and asking BobDaHacker to reveal their registered email address, which the researcher accomplished in about a minute, demonstrating the ease and speed of exploitation.

Q: Who is most at risk from the Lovense vulnerabilities?

The vulnerability particularly impacts cam models and adult content creators who publicly share usernames for professional purposes while requiring email privacy to prevent doxxing and harassment. These users rely on privacy protections to maintain their safety and professional boundaries.

Q: What was the dispute about Lovense's vulnerability fixes?

The disclosure process became contentious as Lovense repeatedly claimed fixes were implemented when they were not, leading to a four-month timeline of disputed resolution status. This created friction between the security researchers and the company regarding the actual status of vulnerability remediation.

published: July 29, 2025

Take action: We don't have a good advice on this flaw. It's a cloud based service and it the flaw exposed users. It seems that it hasn't been exploited. Best we can advise is not to trust too much in connected devices and platforms. Anything can and eventually will be hacked.

Learn More

Security researchers are reporting vulnerabilities in Lovense, a connected sex toy platforms, that allow attackers to extract users' private email addresses from usernames and completely take over accounts without passwords.

The vulnerabilities were discovered by security researcher BobDaHacker, working with researchers Eva and Rebane, after noticing an API response contained an email address while using the Lovense app's mute function. The discovery led to the identification of two security flaws that could be chained together for maximum impact against users.

The vulnerabilities don't have a CVE assigned. They are caused by a flaw in Lovense's XMPP (Extensible Messaging and Presence Protocol) chat system architecture and authentication mechanisms.

Account takeover vulnerability allows attackers to generate valid authentication tokens (gtokens) using only email addresses without requiring passwords. The attack exploits hardcoded application credentials in Lovense Connect, using the platform's appId (a79643e665bb9833) and appSecret (2DF65319C4D46284) to create encrypted signatures that authenticate users across multiple Lovense services including the Chrome Extension, Connect app, StreamMaster, and Cam101 platform.
Email disclosure vulnerability allows extracting of email addresses. Attackers first obtain authentication tokens and encryption keys by making POST requests to /api/wear/genGtoken with their own account credentials. They then encrypt target usernames using AES-CBC encryption and submit them to /app/ajaxCheckEmailOrUserIdRegisted to retrieve fake email addresses. The critical flaw occurs when these fake emails are converted to XMPP JID format and added to the attacker's contact roster, causing the XMPP server to reveal both fake and real JIDs linked by internal identifiers, exposing the victim's actual email address.

TechCrunch verified the email disclosure vulnerability by creating a new account on Lovense and asking BobDaHacker to reveal their registered email address, which they accomplished in about a minute. The vulnerability impacts cam models and adult content creators who publicly share usernames for professional purposes while requiring email privacy to prevent doxxing and harassment.

The researchers initially reported both vulnerabilities to Lovense on March 26, 2025. The company acknowledged the bugs on March 27 and confirmed they were working on fixes. However, the disclosure process became contentious as Lovense repeatedly claimed fixes were implemented when they were not, leading to a four-month timeline of disputed resolution status.

Update - as of 1st of August 2025, Dutch retailers Bol.com and EasyToys have suspended the sale of sex toys made by Lovense, after the exposure of users’ names and email addresses that put Dutch consumers, including webcam performers, at risk of identity exposure.

Email disclosure and account takeover flaws reported in Lovense connected sex toy platform