Manfacturer of ‘smart’ chastity device leaks users’ data

A manufacturer specializing in chastity devices controllable remotely via the internet by partners, has inadvertently exposed sensitive user data due to multiple server vulnerabilities. The leak is ongoing and is reported by a security researcher.

This company offers a chastity cage product that can be linked to an Android app, allowing remote control by a partner regardless of their location with precise GPS tracking.

Both the researcher and the manufacturer are unnamed since the data is still exposed and the vulnerabilities are not fixed yet.

This researcher accessed a database containing over 10,000 user records by exploiting two vulnerabilities. The researcher was able to expose data including

• email addresses
• plaintext passwords
• home addresses
• IP addresses,
• in some instances, GPS coordinates

Seeking to safeguard user data, the researcher contacted the company on June 17, notifying them of the issues; however, as of the time of this report, the company has failed to rectify these vulnerabilities.

In response to the company's inaction, the researcher took further steps to raise awareness about the situation. On August 23, he defaced the company's website in a bid to alert both the company and its users to the ongoing data security risks. Subsequently, the company restored the website but failed to address the underlying vulnerabilities, leaving user data exposed and exploitable.

Additionally, apart from the security flaws allowing unauthorized access to the user database, the researcher discovered that the company's website exposed logs of users' PayPal payments, revealing email addresses used for PayPal transactions and payment dates.