Connected Sex Toy Platform Lovence is unsafe for a zero-day defect that allows an attacker to reach an email address of a member, just knowing their user names, putting them at risk of doxing and harassment.
Lovense is an interactive sex toy manufacturer, known for the creation of app-controlled sex toys with names such as succulent, gush, and perhaps most adventurous, cracked. The company claims that there are 20 million customers worldwide.
While lovence toys are usually used for both local and long distance entertainment, they are also popular among the CAM models that allow audiences to tip or subscribe to their toys remote controls.
However, connected experiences can also highlight their lovence user name, and due to this defect, possibly reveal their personal email address.
Lovense user names are often shared publicly on forums and social media, making them easy goals for the attackers.
The defect was discovered by the safety researcher Bobdahekar, who collaborated with researchers Eva and Reben to reverse the app and automatic the attack.
Researchers revealed two flaws four months ago, on 26 March 2025. However, only one flaws, an important account kidnapping defect, was later fixed.
The lovence falls
The vulnerability stems from the interaction between the XMPP chat system of the lavens, which is used for communication and backnd of platforms between users.
“So all this started when I was using the Lavage app and was muteing someone. This is just a matter. Just made them muted,” Bobdaaacker report,
“But then I saw the API response and was so … Wait, do you know an email? Why is it so? After a deep digging, I came to know how to convert any user name to their email address.”
To take advantage of the defect, an attacker requests a post request /api/wear/genGtoken The API & Point with their credentials, which gives a GTOKEN (certification token) and AES-CBC encryption key.
The attacker then takes any publicly known Lavens user name and encryps it using recovered encryption keys. It is sent to encrypted payload /app/ajaxCheckEmailOrUserIdRegisted?email={encrypted_username} API Closing Point.
The server reacts with data with a fake email address, which the researcher converted into a fake Jabber ID (JID) used by the XMPP server of Lovense.
By adding this fake Jid to their XMPP contact list and sending an appearance membership on the XMPP (similar to the friend request), the attacker can refresh the roster (contact list), in which both fake jid and real are now connected to the target account.
However, the problem is that the actual Jid is produced using the user’s actual email, user name in the format !!! Ddomain.com_w@im.lovense.com, allows the attackers to remove the victim’s email address.
For example, if it returned to Blapping !!
Researchers confirmed that the entire process could be completed in less than a second time per user with a script. Bleepingcomputer today created a fake account and shared our user name with bobdahacker, allowing them to only connect them as a friend and return the email registered by us.
The researcher also said that it is not necessary to accept friend requests to take advantage of the defect.
Bleepingcomputer also confirmed that finding valid user names on Forms and Lovense-related sites is relatively easy, such as lovenselife.com.
Researchers also claim that fanberry extensions created by Lavens can be used for harvesting of user names as many CAM models use the same user name, making it possible to harvest emails on a large scale.
Researchers also discovered an important vulnerability that allows them to abduct an account completely.
Using only an email address, an attacker can generate authentication tokens without the need for a password. Using these tokens, an attacker can apply a user on the levenous platform, including the Lavage connect, streammaster and the CAM101.
These tokens also allegedly worked on administrator accounts.
While Lavens has reduced the defect by rejecting the tokens on its API, researchers said that Gtokens could still be generated without a password.
Both issues were reported to Lavens on 26 March 2025. In April, after submitting bugs on Hacaron, Lavens informed the researchers that the email issue was already known and decided into an upcoming version.
The company initially reduced the kidnapping defect, but after stating that this full administrator could allow account access, Lovense considered it important.
Overall, researchers received $ 3,000 for disclosure of flaws.
On 4 June, the company claimed that the blames were fixed, but the researchers confirmed that the matter was not there. Lovense finally fixed the account kidnapping blame in July, but said it would take about 14 months to resolve the email defect, as it would break the compatibility with their old versions of the app.
“We have launched a long -term therapeutic plan, which will take about ten months, at least four and the month will need to apply a complete solution completely,” Lavens told the researcher.
“We have also evaluated a fast, a month’s fix. However, it will need to be forced to upgrade all users immediately, which will disrupt support for heritage versions. We have decided in favor of a more stable and user friendly solution against this approach.”
Researchers criticized this response, repeatedly claiming the company that the issues were fixed when they were not.
Bodahekar wrote in the report, “Your users are better eligible. Stop supporting the old app on security. Really fix things. And test your fix before saying this.”
Finally, Lavens says that he deployed a proxy feature on July 3, which was suggested by the researchers to reduce the attack. However, even after updating a force of the app, the blame was not fixed, so it was not clear what had changed.
In 2016, Multiple Lovence Falls Email addresses or attackers allowed to determine whether there was an accoun in Lovense at an email address.
Bleepingcomputer arrived for Lovense for comment, but no response was found.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
