I found critical vulnerabilities in Lovense that affected 11M+ users.
Discovered email disclosure and authentication bypass vulnerabilities that let anyone take over accounts. Turns out other researchers reported these same bugs in 2022 and 2023, but Lovense lied about fixing them.
They told me the fixes would take 14 months due to "architectural complexity." After going public, they fixed everything in 48 hours.
There's a lot more sketchy behavior from them such as lying to journalists, trying to silence researchers, paying different amounts for the same bugs. The story got picked up by tech news outlets, but my blog post has the most up-to-date info and full details.
Full technical breakdown and timeline: https://bobdahacker.com/blog/lovense-still-leaking-user-emails
Top comments (0)