AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Friendly Debate (18+ please)  <--  <--- Return to Home Page
   Networked Database  Friendly Debate (18+ please)   [1943 / 2000] RSS
 From   To   Subject   Date/Time 
Message   Mike Powell    All   Lovense adult toy app lea   July 30, 2025
 9:23 AM *  

 [A bit of real-life humor - not political but I couldn't think of a better
place to share it. -- Mike]

Lovense adult toy app leaks private user email addresses - what we know, and
how to stay safe if you're affected

Date:
Tue, 29 Jul 2025 20:02:00 +0000

Description:
Experts find a way to doxx people using smart sex toy app - and it still
hasn't been fixed.

FULL STORY

Lovense, a sex tech company specializing in smart, remotely controlled adult
toys, had a vulnerability in its systems which could allow threat actors to
view peoples private email addresses . 

All they needed was that persons username and apparently - these things are
relatively easy to come by. 

Recently, security researchers under the alias BobDaHacker, Eva, Rebane,
discovered that if they knew someones username (maybe they saw it on a forum
or during a cam show), they could log into their own Lovense account (which
doesnt need to be anything special, a regular user account will suffice), and
use a script to turn the username into a fake email (this step uses 
encryption and parts of Lovenses system meant for internal use). 

That fake email gets added as a friend in the chat system, but when the 
system updates the contact list, it accidentally reveals the real email
address behind the username in the background code.

Automating exfiltration 

The entire process can be automated and done in less than a second, which
means threat actors could have abused it to grab thousands, if not hundreds 
of thousands of email addresses, quickly and efficiently. 

The company has roughly 20 million customers worldwide, so the attack surface
is rather large. 

The bug was discovered together with another, even more dangerous flaw, which
allowed for account takeover. While that one was quickly remedied by the
company, this one has not yet been fixed. Apparently, the company still needs
months of work to plug the leak: 

"We've launched a long-term remediation plan that will take approximately ten
months, with at least four more months required to fully implement a complete
solution," Lovense told the researcher. 

"We also evaluated a faster, one-month fix. However, it would require forcing
all users to upgrade immediately, which would disrupt support for legacy
versions. We've decided against this approach in favor of a more stable and
user-friendly solution." 

Lovense also said that it deployed a proxy feature as a mitigation but
apparently, its not working as intended.

How to stay safe 

The attack is particularly concerning as such records could contain more than
enough of sensitive information for hackers to launch highly personalized,
successful phishing campaigns, leading to identity theft , wire fraud, and
even ransomware attacks. 

If you're concerned you may have been caught up in the incident, don't worry 
- there are a number of methods to find out. HaveIBeenPwned? is probably the
best resource only to check if your details have been affected, offering a
run-down of every big cyber incident of the past few years. 

And if you save passwords to a Google account, you can use Google's Password
Checkup tool to see if any have been compromised, or sign up for one of the
best password manager options we've rounded up to make sure your logins are
protected. 

 Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/lovens...
r-email-addresses

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Friendly Debate (18+ please)  <--  <--- Return to Home Page

VADV-PHP
Execution Time: 0.0141 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2025 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
v2.1.250224