Full Report
The connected sex toy platform Lovense is vulnerable to a zero-day flaw that allows an attacker to get access to a member's email address simply by knowing their username, putting them at risk of doxxing and harassment. [...]
Analysis Summary
# Vulnerability: Lovense Sex Toy App Flaw Leaks Private User Email Addresses
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. (Likely multiple or recently discovered and not yet officially documented/published with CVE numbers.)
- CVSS Score: Not specified.
- CWE: Potential Information Exposure (CWE-200) or similar due to insecure data handling/API response.
## Affected Systems
- Products: Lovense sex toy application ecosystem (API/Backend services handling user data).
- Versions: Unknown specific versions, but patches cover older app versions where the vulnerability was present.
- Configurations: Affects user accounts storing email addresses.
## Vulnerability Description
A vulnerability exists within the Lovense application/backend infrastructure that allows an attacker to potentially enumerate or leak private user email addresses associated with accounts. This appears to be related to an account enumeration or insecure direct object reference flaw, given that researchers disclosed both an account hijack flaw and an email exposure flaw. Lovense acknowledged the flaw but indicated a protracted remediation timeline because a quick fix would break compatibility with older, legacy versions of the mobile application.
## Exploitation
- Status: Researchers reported both an account hijack flaw and an email leak flaw. Status regarding public exploitation is **Not explicitly stated**, but the flaws were successfully demonstrated by researchers.
- Complexity: Implied to be **Low to Medium** given that external researchers found and disclosed the issues.
- Attack Vector: The nature of the exposure suggests a **Network** attack vector targeting the service APIs.
## Impact
- Confidentiality: **High** (Leak of private user email addresses).
- Integrity: **Unknown/Low** (Focus was on information disclosure, not data alteration).
- Availability: **Unknown/Low** (Focus was on information disclosure, not service downtime).
## Remediation
### Patches
- **Account Hijack Flaw:** Resolved by Lovense in July (Specific version not stated).
- **Email Leak Flaw:** Lovense stated a long-term plan requiring approximately 14 months for a complete fix to maintain compatibility with legacy apps. No confirmed patch version is available as of the summary date.
### Workarounds
- No official workarounds provided by Lovense in the text.
- Researchers criticized Lovense for prioritizing legacy support over immediate security for users regarding the email flaw.
## Detection
- **Indicators of Compromise**: Monitoring API traffic related to user lookups or enumeration attempts that result in unauthorized email address disclosure.
- **Detection Methods and Tools**: Security monitoring solutions capable of tracking excessive or suspicious querying of user profile APIs where sensitive PII might be unexpectedly returned.
## References
- [BleepingComputer Article Reference](https://www.bleepingcomputer.com/news/security/lovense-sex-toy-app-flaw-leaks-private-user-email-addresses/)
- [Researcher Disclosure Reference (Defanged)](internetofdon.gs/lovense/)