Article illustration 1

A severe API vulnerability in Lovense's ecosystem—used by 20 million owners of app-controlled devices like the Lush and Kraken—allows attackers to expose users' private email addresses simply by knowing their public usernames. The flaw, discovered by security researchers BobDaHacker, Eva, and Rebane, enables real-time harvesting of sensitive data, posing significant risks to privacy and safety.

The Attack Chain: From Username to Email

The exploit leverages Lovense's XMPP-based chat infrastructure through three API endpoints:
1. Attackers first obtain authentication tokens via POST /api/wear/genGtoken
2. They encrypt any known username using provided AES-CBC keys
3. The encrypted payload is sent to /app/ajaxCheckEmailOrUserIdRegisted?email={encrypted_username}

As researcher BobDaHacker explained:

"After muting someone in the app, I saw an API response containing an email. Why was that there? I reverse-engineered how to turn any username into their private email."

The system responds with a fabricated Jabber ID (JID). When added to the attacker's XMPP roster, the platform reveals the victim's real JID structured as [email protected], directly exposing [email protected].

Critical Context and Impact

  • Public Usernames: Lovense IDs are frequently shared openly on forums and cam platforms like lovenselife.com
  • Automated Harvesting: Attack scripts execute the process in <1 second per user
  • Cam Model Targeting: The FanBerry browser extension compounds risks by facilitating username collection
  • Account Hijacking: A separate critical flaw (since patched) allowed full account takeover using only email addresses, including admin accounts

Disclosure Timeline and Vendor Response

Researchers reported both flaws on March 26, 2025. While Lovense fixed the account hijacking vulnerability in July after initial downplaying, they deemed the email leak a lower priority. The company stated:

"A complete fix would break legacy app support. Our 14-month remediation plan prioritizes stability over forcing immediate upgrades."

Researchers received $3,000 in bounties but criticized Lovense's approach:

"Your users deserve better. Stop putting old app support over security. Actually fix things. And test your fixes before saying they work."

Historical Echoes and Unresolved Risks

This isn't Lovense's first email exposure incident—similar flaws surfaced in 2016. Despite deploying a proxy mitigation on July 3, 2025, researchers confirm the core vulnerability remains exploitable. The delayed fix timeline leaves millions vulnerable as usernames continue circulating on adult platforms.

For IoT developers, this highlights the dangerous intersection of chat protocols, legacy dependencies, and sensitive data handling. When privacy failures can enable real-world harassment, security debt becomes an existential threat—one that can't wait 14 months to resolve.

Source: BleepingComputer