A zero-day flaw in the Lovense sex toy platform allows attackers to obtain a user’s private email address simply by knowing their public username. This vulnerability, which the company has known about for months, puts its 20 million users at significant risk of doxxing and harassment.
The connected sex toy manufacturer Lovense is grappling with a serious zero-day security vulnerability that exposes its users’ private information.
The platform, popular for its app-controlled devices and integration with camming websites, allows attackers to link a public username to a private email address. Since many users, particularly cam models, publicly share their Lovense usernames for interactive sessions, they are made easy targets. This flaw creates a direct pipeline from a public persona to private data, opening the door for targeted harassment, doxxing, and other malicious activities.
The exploit, discovered by security researcher BobDaHacker, involves manipulating the platform’s application programming interface (API) and its XMPP-based chat system. An attacker uses their own credentials to get an authentication token and encryption keys from the $\mathtt{/api/wear/genGtoken}$ endpoint. They then encrypt a target’s public username and submit it to another API, which allows them to add a corresponding fake Jabber ID (JID) to their contact list. Upon refreshing this list, the system reveals the target’s real JID, which is structured in a way that includes the user’s actual email address, such as:
$\mathtt{username!!!domain.com\_w@im.lovense.com}$, making it trivial to extract.
This email disclosure flaw was reported alongside a second, more critical vulnerability that permitted a full account takeover. Using only a target’s email address, an attacker could generate authentication tokens to impersonate the user across all Lovense platforms, including gaining access to administrative accounts. While Lovense has since mitigated the account hijacking bug, its existence points to severe architectural weaknesses in the platform’s security. The researchers noted that even after the fix, it was still possible to generate some authentication tokens without a password.
Lovense’s response to the disclosure, which occurred on March 26, 2025, has been criticized by the researchers. The company initially downplayed the flaws and repeatedly claimed they were fixed when they were not. For the email disclosure vulnerability, Lovense stated a proper fix would take approximately 14 months to implement, citing a need to maintain backward compatibility for older app versions over an immediate security patch. This decision to prioritize legacy support over user safety drew sharp criticism from the security community.
The situation is further complicated by conflicting statements and a history of similar issues. As of late July 2025, Lovense claimed a fix was rolling out, yet researchers were still able to successfully demonstrate the exploit. This incident echoes past problems, including similar data exposure flaws in 2016 and the revelation that other researchers had discovered and reported the same account takeover bug in 2023, only for it to be allegedly marked as fixed without a proper resolution. This pattern suggests a systemic issue with how Lovense handles security reports and protects its user data.
Reference:
