Lovense rolls out fix for app-controlled sex toys after media reports privacy breach

Sex toy company Lovense rolled out fixes for two security vulnerabilities in its app-controlled sex toys after media reported that these flaws could expose users’ names and email addresses, putting them at risk of identity exposure and remote device takeover. According to a statement released by Lovense CEO Dan Liu, “all identified vulnerabilities have been fully addressed.”

Last week, Dutch retailers Bol.com and EasyToys suspended the sale of the popular app-operated Lovense toys. This followed reports in the media that an ethical hacker had identified vulnerabilities in how the app communicates with Lovense servers. The flaw allowed malicious actors to retrieve users’ email addresses and names by sending a manipulated request. With that data, hackers could access users’ accounts, potentially allowing malicious actors to remotely take over devices.

The vulnerabilities had reportedly been discovered in March, and Lovense failed to act by the date that the Dutch retailers decided to stop selling the popular sex toys.

According to Lovense, these vulnerabilities have now been fixed. Liu said that the company completed its 14-month system reconstruction plan “significantly ahead of schedule” as part of an emergency response to fix the bugs through “dedicated efforts” from the team and “increased resource allocations.”

Liu said that the “vulnerabilities were discovered under controlled conditions by the researcher, who is part of a bug bounty platform we joined in 2018, and not through malicious activity.”

“All identified vulnerabilities have been fully addressed,” Liu said. “As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.” He urged users of the app-operated sex toys to update the software to the latest version.

Liu, who founded the now Singapore-headquartered company in Hong Kong in 2010, did not address reports that Lovense has known about the vulnerabilities since March and only responded after media reports on the bugs went viral.

“In response to the numerous erroneous reports online, our legal team is investigating the possibility of legal action,” Liu wrote. It was not clear if this was directed at those involved in disclosing the potential security issue or media outlets that reported on the problem.

BobDaHacker, the Dutch hacker who revealed the vulnerabilities to the Dutch media, confirmed that both bugs were fixed on July 30. “But only after public pressure forced their hand. The email disclosure they claimed would take 14 months to fix? Fixed in 2 days. The account takeover vulnerability first reported in 2023? Also suddenly fixed after 2 years of lies,” the hacker said. “This went viral and within 48 hours, they miraculously found solutions to 'impossible' problems.”