Lovense, known for its remote-operated sex toys, is vulnerable to a flaw that allows attackers to reveal users’ plaintext email addresses. An update from the researcher who found the leak blows the case wide open, and Lovense comes back with its rebuttle.
BobDaHacker, an ethical hacker and security enthusiast, has discovered a flaw in Lovense’s platform, which allows attackers to obtain users’ email addresses by just knowing their usernames.
“It all started when I was using the Lovense app and muted someone. That's it. I just muted them. But then I saw the API response and was like... wait, is that an email address? Why is that there?” the researcher said in a blog post.
Following this discovery, BobDaHacker dug deeper and found that any username could be easily converted into the user’s personal email address.
The attack flow can be executed in seconds
The researcher outlined the attack flow, which they said was “surprisingly straightforward.”
Cybernews researchers pointed out that this isn’t a singular vulnerability. Instead, it's an exploit chain that leverages multiple unsecured APIs and vulnerable authentication flows, allowing bad actors to receive encryption keys that can then be used to access a user's real email address.
To exploit the flaw, an attacker would need only create a POST request to a specific endpoint (/API/wear/genGtoken) with the user’s account credentials.
This command returns GToken and AES-CBC encryption keys (x and y parameters).
An attacker would then need to locate a Lovense username, of which many are public, and encrypt the username using the encryption keys obtained from the previous step.
Once encrypted, the bad actor would then send another POST request to the endpoint (/app/ajaxCheckEmailOrUserIdRegisted?email={encrypted_username}), including the GToken and X parameters.
According to BobDaHacker’s blog post, this command returns the user’s encrypted data, including a fake email address, which can be decrypted using the same AES-CBC keys.
An attacker must connect to Lovense’s XMPP server using their account to obtain the user's real email address.
By converting the fake email address into a specific format (@ replaced by !!!, add _w suffix), adding this email to their roster or contact list, and requesting to connect, the fake JID and the user’s real JID are obtained.
BobDaHacker said that this process took roughly 30 seconds per username, but with a script, it could take less than a second to crack.
Another flaw in Lovense’s design
BobDaHacker and another researcher, Eva, found another flaw that created GTokens or authorization tokens without asking for a password.
These tokens could be generated by exploiting the flaws from the previous vulnerability, allowing bad actors to create tokens with just users’ email addresses.
Apparently, these tokens worked on Lovense Extension, Lovense Connect, SteamMaster, Cam101, and even on admin accounts.
“Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,” the ethical hacker said.
While the researchers reported these flaws to Lovense, they said the company would “rather leave everyone’s emails exposed for 14 months than make people update their apps.”
What’s alarming is that Lovense’s toys are predominantly used by cam models who could be subject to doxxing and online harassment if their emails are leaked.
Furthermore, users of these devices could risk receiving phishing emails used to harvest more sensitive information.
Researchers suggest that users of Lovense toys should use a “throw-away email” that isn’t tied directly to them.
They also urge users to question their trust in a company that “takes 4+ months to half-fix critical bugs.”
Update: "It gets worse"
BobDaHacker reached out to Cybernews and pointed us in the direction of a further update on the issue, and as they said, "It gets worse."
Following their post on X (formerly Twitter), a software engineer named Krissy informed BobDaHacker that they found the same account takeover bug back in September 2023 alongside their friend, who goes by the moniker SkeletalDemise.
The pair found an easier way to exploit Lovense's API problem via an HTTP endpoint. "This thing let you convert any email to username and vice versa. No XMPP dancing required, just a simple API call. Way easier than our convoluted method," BobDaHacker said in their update.
The timeline provided reveals that the company seemingly wanted to hide the problem, downgrading the problem in severity, and marking the vulnerability as "resolved" when it apparently wasn't.
In early 2025, however, the issue was patched without informing Krissy, all while supposedly lying about the issue being resolved back in 2023.
As of July 2025, BobDaHacker reports that the bug still hasn't been fixed properly as it "still generates tokens, but they don't work on most endpoints."
Furthermore, Krissy was allegedly paid $350 for the disclosure, whereas BobDaHacker and co. were apparently awarded $3,000 for the critical vulnerability.
Krissy wrote a post on HackerOne, asking for the bounty to be re-evaluated, considering that they were paid far less.
Lovense responds
Lovense reached out to Cybernews to provide further information on the issue brought forward by BobDaHacker and Krissy.
The company claims that “user safety and privacy have always been (its) top priority,” and since joining the HackerOne platform in 2018, it has “actively collaborated with thousands of researchers to continuously strengthen the security of (its) platform.”
According to Lovense, when the company received the vulnerability report from “the researcher,” the sex toy maker “immediately took action.” Lovense claims that this issue has now been “fully addressed.”
Regarding the leaky email situation, Lovense recognizes “the seriousness of the email exposure issue and has prioritized it accordingly.”
Once the company received “the researcher’s” report, Lovense claims it “swiftly implemented corrective measures.”
“Due to the technical complexity involved, we took a phased approach to resolve the issue without disrupting the current user experience,” a Lovense spokesperson told Cybernews.
“The issue was gradually resolved through two version updates and was completely fixed by the end of June, addressing all vulnerabilities highlighted by the researcher,” a Lovense spokesperson told Cybernews.
The sex toy maker told Cybernews that the 14-month timeline published by the researcher “actually refers to this long-term platform improvement plan, which includes various architectural enhancements.”
Lovense told Cybernews that the vulnerabilities found by the researcher were previously submitted to app stores before the post was published.
“The full update is expected to be pushed to all users within the next week. Once all users have updated to the new version and we disable older versions, this issue will be completely resolved,” the spokesperson told Cybernews.
Your email address will not be published. Required fields are markedmarked