Redazione RHC : 29 July 2025 15:23
The Lovense platform, which has long carved out a niche market for itself with app-controlled sex toys (including models such as Lush, Gush, and Kraken), is affected by a security bug that allows anyone’s email address to be obtained using their public username. The flaw affects both regular users and models who use Lovense for streaming and shows. Because usernames on the platform are often public on forums or social media, attackers can easily match login details to real email addresses, creating the risk of doxxing and stalking.
The vulnerability was discovered by a researcher using the pseudonym BobDaHacker who, together with colleagues Eva and Rebane, reverse engineered the application and automated the attack process. During the analysis, it turned out that the bug was hidden in the interaction between the Lovense server and the XMPP chat, through which messages are exchanged between users.
According to the researcher, the vulnerability was discovered by accident while trying to block another user’s notifications via the Lovense interface. After pressing the “Mute” button, he studied the API response and was surprised to find someone else’s email address. This raised suspicions, and further analysis showed that, using a certain algorithm and formulating a correct request, it is possible to obtain the address of any platform participant using their public nickname. Furthermore, this data collection can be easily automated, requesting information en masse and at high speed.
The attack works as follows: First, the attacker sends a POST request to the /api/wear/genGtoken endpoint using their credentials. In response, the server issues an authentication token (gtoken) and the keys for symmetric encryption (AES-CBC). Then, any known login is encrypted with the received keys and sent to /app/ajaxCheckEmailOrUserIdRegisted?email={encrypted_username}.
In response to the request, the server returns a fake email address, from which an artificial Jabber ID (JID) is created. This ID is added to the XMPP chat contact list, and after a standard add-a-friend request is sent (via the XMPP protocol), the user list is updated. As a result, the list contains not only a fake, but also a real JID, created according to a pattern, in which the victim’s real email address is replaced with the login and domain: for example, a line like this: [email protected] indicates email [email protected].
Collecting login data, as analysts point out, is not difficult: they are published on sites like lovenselife.com and in models’ profiles. Furthermore, the proprietary FanBerry extension, released by Lovense, can be used to automatically collect login data, especially considering that many streamers use the same nicknames on different platforms.
But that’s not the only problem: researchers have also discovered a critical vulnerability that allows complete account control. To exploit it, all you need is your email address. This allows you to generate a valid gtoken, without having to enter a password, and access any part of the Lovense ecosystem, including the Lovense Connect, StreamMaster, and Cam101 apps. Furthermore, according to the researchers, the vulnerability also affected administrator accounts.
Lovense has since partially fixed this flaw: tokens are now rejected at the API level, but gtokens themselves can still be created without entering a password. Both bugs were initially documented and submitted to the company on March 26, 2025, and also via HackerOne. In April, Lovense reported that the email issue was already known and would be fixed in a future version of the application. In total, the research team received $3,000 for the discovered bugs.
As of June 4, Lovense reported that both issues had been fully resolved, but researchers have since refuted this claim, confirming that the email disclosure bug remains. Only the gtoken bug was fully fixed in July. Regarding the second bug, Lovense stated that it will take approximately 14 months to resolve it, as the change will break compatibility with previous versions of the client.
According to Lovense, on July 3, the company implemented a proxy feature proposed by researchers to mitigate the attack. However, even after the forced update, the email bug persisted, and it’s unclear what exactly was changed. It’s worth remembering that as early as 2016, the company had discovered vulnerabilities that allowed the presence of an account to be determined via email or directly extracted from requests.
Redazione