Lovense App Flaw Exposes User Email Addresses
▼ Summary
– Lovense’s platform has a zero-day flaw exposing users’ email addresses via their usernames, risking doxxing and harassment.
– The flaw involves exploiting Lovense’s XMPP chat system and API endpoints to convert usernames into email addresses without user consent.
– Researchers discovered the flaw in March 2025, but only the account hijacking vulnerability was fixed, while the email exposure issue remains partially unresolved.
– Lovense delayed fixing the email flaw to maintain compatibility with older app versions, despite researchers criticizing the prioritization of legacy support over security.
– The company claims a fix is rolling out, but tests by researchers and BleepingComputer confirm the email exposure flaw still works as of late July 2025.
A critical security vulnerability in the Lovense app has exposed users’ private email addresses, raising concerns about potential harassment and doxxing risks. The flaw allows anyone with basic technical knowledge to link publicly available usernames directly to personal email accounts, creating serious privacy implications for millions of users worldwide.
Lovense, the company behind popular app-controlled intimate products, serves over 20 million customers globally. Many adult content creators rely on these devices, sharing their usernames publicly to allow fans to interact with them remotely. Unfortunately, this practice has now become a security liability due to the newly uncovered flaw.
Security experts discovered that the platform’s XMPP-based chat system inadvertently leaks email addresses through its API responses. By manipulating certain endpoints, attackers can convert any Lovense username into the corresponding email within seconds. The process involves generating authentication tokens, encrypting usernames, and querying the system, all without requiring password access.
The vulnerability was first reported months ago, but only partial fixes were implemented. While Lovense addressed an unrelated account hijacking flaw, the email exposure issue remains unresolved. The company claims a full solution requires extensive app updates and could take over a year to implement without disrupting legacy support.
Researchers demonstrated the exploit by retrieving test account emails in real time, confirming the flaw’s persistence despite Lovense’s assurances of a June fix. Additionally, a separate API was found to allow direct username-to-email conversion without needing chat system access, though this was reportedly patched after disclosure.
Lovense has faced similar security issues in the past, including a 2016 incident where email addresses were exposed through different vulnerabilities. The latest findings highlight ongoing concerns about the platform’s commitment to user privacy, particularly given its popularity among adult performers who face heightened risks of harassment.
The company maintains that updates are rolling out to app stores, with full deployment expected within a week. However, independent verification shows the exploit still functions, casting doubt on these claims. Security experts urge users to exercise caution when sharing Lovense usernames publicly until a verified fix is in place.
This incident underscores the growing challenges of balancing functionality with privacy in connected devices, especially in industries where anonymity is often crucial for user safety. As investigations continue, affected individuals remain vulnerable to potential misuse of their personal information.
(Source: BLEEPING COMPUTER)
