- Researchers found a way to extract e -mail addresses from Lovense -User Accounts
- A mitigation was released but allegedly it does not work as intended
- The company claims it still needs months before he joins the leak
Lovense, a sex technology company that specialized in smart, externally controlled adult toys, had a vulnerability in its systems that could allow threat players to see people’s private E email addresses.
All they needed was this person’s username and apparently – these things are relatively easy to get by.
Recently, security scientists under the alias Bobdahacker, Eva, reban, that if they knew other people’s username (maybe they saw it on a forum or during a CAM show), they could log in to their own Lovense account (which doesn’t have to be anything special, a regular user account will be sufficient) and use a script to transform the user name into a false e -mail (this step user Lovense’s system to be sufficient for inner use).
The fake E email is added as a “friend” in the chat system, but when the system updates the contact list, it accidentally reveals the correct E -mail address behind the username of the background code.
EXFILTRATION Automation
The whole process can be automated and performed in less than a second, which means threat actors could have abused it to grab thousands if hundreds of thousands of E -email addresses not quickly and effectively.
The company has approx. 20 million customers all over the world, so the attack surface is pretty big.
The error was discovered along with another, even more dangerous error that enabled the acquisition of account. While it was quickly remedied by the business, this one is not yet corrected. Apparently the company still needs “months” with work to connect the leak:
“We have launched a long -term remediation plan that will take about ten months, with at least four months more required to fully implement a complete solution,” the Lovense researcher said.
“We also evaluated a faster, one month’s solution. However, it would require all users to upgrade immediately, which would interfere with support for older versions. We have decided against this approach in favor of a more stable and user -friendly solution.”
Lovense also said it implemented a proxy function as a mitigation, but apparently it does not work as intended.
How to remain safe
In particular, the attack is that such items could contain more than enough of sensitive information to hackers to launch very personalized, successful phishing campaigns, leading to identity theft, thread fraud and even ransomware attacks.
If you are worried, you may have been caught in the incident, don’t worry – there are a number of methods to find out. Do i have? is probably the best resource only to check if your details have been affected, offering a wear and tear of any major cyber event in the last few years.
And if you save passwords to a Google account, you can use Google’s password tool to see if anyone has been compromised, or sign up for one of the best password administrator settings we’ve rounded off to make sure your login is protected.
Via Bleeping computer
