Lovense vulnerabilities: insecure adult toys

This is a tale about how vulnerabilities in apps by intimate-toy maker Lovense exposed users’ identities and allowed for account takeovers — a problem the company ignored for years.

Lovense ignored app vulnerabilities for eight years

Our blog has covered vulnerabilities in some unusual gadgets — from smart mattress covers and robot vacuums to traffic signal audio buttons, children’s toys, pet feeders, and even bicycles. But the case we’re discussing today might just be the most… exotic yet. Recently, cybersecurity researchers uncovered two extremely serious vulnerabilities in the remote control apps for… Lovense sex toys.

Everything about this story is wild: the nature of the vulnerable gadgets, the company’s intention to take 14 months (!) to fix the problems, and the scandalous details that emerged after researchers published their findings. So let’s… get stuck straight in to right into this tale, which is as absurd as it is fantastic.

The Lovense online ecosystem

The first thing that makes this story so unusual is that Lovense, a maker of intimate toys, caters to both long-distance couples and cam models (human models that use webcams) working on streaming platforms.

To control devices and enable user interaction, the company has developed an entire suite of software products tailored for a variety of scenarios:

  • Lovense Remote: the main mobile app for controlling intimate devices.
  • Lovense Connect: a companion app that acts as a bridge between Lovense devices and other apps or online services. It’s installed on a smartphone or computer and allows a toy to connect via Bluetooth, and then relays control commands from external sources.
  • Lovense Cam Extension: a browser extension for Chrome and Edge that links Lovense devices with streaming platforms. It’s used with the Lovense Connect app and the OBS Toolset streaming software for interactive control during live broadcasts.
  • Lovense Stream Master: an all-in-one app for streamers and cam models combining device control features with live streaming functionality.
  • Cam101: Lovense’s online educational platform for models working on streaming sites.

Of course, this whole setup also includes APIs, SDKs, an internal platform for mini-apps, and more. In short, Lovense isn’t just about internet-connected intimate toys — it’s a full-fledged ecosystem.

Lovense Stream Master: a service for webcam models

UI of the Stream Master app, which combines device management and video streaming. Source

If you create an account in the Lovense infrastructure, you’re required to provide an email address. Whereas some services offer the option to sign in with Google or Apple, an email address is the primary sign-up method for a Lovense account. This detail might seem insignificant, but it’s at the core of the vulnerabilities that were discovered.

Two vulnerabilities in Lovense online products

So, how did this all unfold? In late July 2025, a researcher known as BobDaHacker published on his blog a detailed post about two vulnerabilities in Lovense’s online products. Many of the products (including Lovense Remote) have social-interaction features. These features allow users to chat, add friends, send requests and subscribe to other users, including people they don’t know.

While using the social-interaction features of one of the Lovense apps, BobDaHacker spotted the first vulnerability: when he disabled notifications from another user, the app sent an API request to the Lovense server. After examining the body of this request, BobDaHacker was surprised to find that, instead of the user’s ID, the request contained their actual email address.

Lovense API vulnerability exposing user emails

When a simple action (like disabling notifications) was performed, the app would send a request to the server that included another user’s real email address. Source

Upon further investigation, the researcher found that Lovense’s API architecture was designed so that for any action that concerned another user (like disabling their notifications), the app sends a request to the server. And in this request the user’s account is always identified by the real email address they signed up with.

In practice, this meant that any user who intercepted their own network traffic could get access to the real email addresses of other people on the app. It’s important to remember that the Lovense apps have social-interaction features and allow communication with cam models. In many cases, users don’t know each other outside of the platform, and exposing the email addresses linked to their profiles could lead to deanonymization.

BobDaHacker discussed his findings with another cybersecurity researcher named Eva, and together they examined the Lovense Connect app. This led them to discover an even more serious vulnerability: generating an authentication token in the app only required the user’s email address — no password was needed.

This meant that any technically skilled person could gain access to any Lovense user’s account — as long as they knew the user’s email address. And as we just learned, that address could easily be obtained by exploiting the first vulnerability.

Second vulnerability: account takeover using only an email address

To generate an authentication token in the Lovense app, only the user’s email was required — without the password. Source

These tokens were used for authentication across various products in the Lovense ecosystem, including:

  • Lovense Cam Extension
  • Lovense Connect
  • Stream Master
  • Cam101

Furthermore, the researchers successfully used this method to gain access to not only regular user profiles but also accounts with administrator privileges.

Lovense’s response to vulnerability reports

In late March 2025, BobDaHacker and Eva reported the vulnerabilities they’d discovered in Lovense products through The Internet Of Dongs Project — a group dedicated to researching and improving the security of internet-connected intimate devices. The following month, in April 2025, they also posted both vulnerabilities on HackerOne, a more traditional platform for engaging with security researchers and paying bug bounties.

Lovense, the adult-toy manufacturer, acknowledged the report and even paid BobDaHacker and Eva a total of $4000 in bounties. However, in May and then again in June, the researchers noticed the vulnerabilities still hadn’t been fixed. They continued talking to Lovense, which is when the most bizarre part of the story began to unfold.

First, Lovense told the researchers that the account takeover vulnerability had been fixed on April. But BobDaHacker and Eva checked and confirmed this was false: it was still possible to get an authentication token for another user’s account without a password.

The situation with the email disclosure vulnerability was even more absurd. The company stated it’d take 14 months to fully resolve the issue. Lovense admitted they had a fix that could be implemented in just one month, but they decided against it to avoid compatibility problems and maintain support for older app versions.

The back-and-forth between the researchers and the manufacturer continued for several more months. The company would repeatedly claim the vulnerabilities were fixed, and the researchers would just as consistently prove they could still access both emails and accounts.

Finally, in late July, BobDaHacker published a detailed blogpost describing the vulnerabilities and Lovense’s inaction, but only after giving the company advance notice. Journalists from TechCrunch and other outlets contacted BobDaHacker and were able to confirm that in early August — four months after the company was first notified — the researcher could still ascertain any user’s email address.

And that was far from the end of it. The most scandalous details were revealed to BobDaHacker and Eva only after their research was published.

A history of negligence: who warned Lovense and when

BobDaHacker’s work made waves across media, blogs, and social networks. As a result, just two days after the report was published, Lovense finally patched both vulnerabilities — and this time, it seems, for real.

However, it soon came to light that this story started long before BobDaHacker’s report. Other researchers had already warned Lovense about the very same vulnerabilities for years, but their messages were either ignored or hushed up. These researchers shared their stories with BobDaHacker and the publications that covered his investigation.

To truly grasp the extent of Lovense’s indifference to user security and privacy, you just need to look at the timeline of these reports:

  • 2023: a researcher known as @postypoo reported both bugs to Lovense, and was offered… two free adult toys in response, but the vulnerabilities were never fixed.
  • Also2023: researchers @Krissy and @SkeletalDemise discovered the vulnerability related to account takeovers. Lovense claimed the issue had been fixed, and paid a bounty in the same month. However, @Krissy’s follow-up message stating that the vulnerability was still present went unanswered.
  • 2022: a researcher named @radiantnmyheart discovered the bug that exposed emails, and reported it. The message was ignored.
  • 2017: the company Pen Test Partners reported the email exposure vulnerability and the lack of chat encryption in the Lovense Body Chat app, and published its study on this. The report was ignored.
  • 2016: The Internet Of Dongs Project identified three similar email exposure vulnerabilities. This all means that Lovense asked BobDaHacker to give it 14 months to patch vulnerabilities they’d known about for at least eight years!

What’s more, after BobDaHacker’s report was published, they heard not only from the ethical hackers who’d previously reported these bugs, but also from the creator of an OSINT website and their friends, who were anything but happy. These individuals had apparently been exploiting the vulnerabilities for their own purposes — specifically, harvesting user emails and subsequent deanonymization. This isn’t surprising though given that the Pen Test Partners report had been publicly available since 2017.

Protecting your privacy

Lovense’s approach to user privacy and security clearly leaves a lot to be desired — to put it mildly. Whether to continue using the brand’s devices after this — especially connecting them to the company’s online services — is a decision each user needs to make for themselves.

For our part, we offer some tips on how to protect yourself and maintain your privacy should you interact with adult online services.

  • Always create a separate email address when you register for these types of services. It shouldn’t contain any information that can be used to identify you.
  • Don’t use this email address for any other activities.
  • When registering, don’t use your real first name, surname, age, date of birth, city of residence, or any other data that could identify you.
  • Don’t upload real photos of yourself that could easily be used to recognize you.
  • Protect your account with a strong password. It should contain at least 16 characters and ideally include a mix of uppercase and lowercase letters, numbers, and special characters.
  • This password must be unique. Never use it for other services so you don’t put them at risk in the event of a data leak.
  • To avoid forgetting the password and email address you created specifically for this service, use a reliable password manager. KPM can also help you generate a random, strong, and unique password.

And if you want to be more… boned up when it comes to choosing adult toys and relevant services, we recommend looking at specialized resources like The Internet Of Dongs Project, where you can find information about brands that interest you.

Check out our other posts on how to protect your private life from prying eyes:

Tips

The pros and cons of AI-powered browsers

A race between tech giants is unfolding before our very eyes. Who’ll be the first to transform the browser into an AI assistant app? As you test these new products, be sure to consider their enormous impact on security and privacy.

  • For all other countries