Lovense: The Company That Lies to Security Researchers

0 viewing
July 28, 2025 • BobDaHacker

This post has been updated with new information showing the account takeover vulnerability was previously reported and allegedly fixed in 2023. See the update at the bottom. Lovense couldn't get any scummier.

What Happened

So it all started when I was using the Lovense app and muted someone. That's it. Just muted them. But then I saw the API response and was like... wait, is that an email address? Why is that there?

Initial Discovery
Just muting someone exposed their email - wtf

After digging deeper, I figured out how to turn any username into their email address.

So we had two big problems:

  1. Email Disclosure - Any username could be turned into their email address
  2. Account Takeover - Make auth tokens with just an email, no password needed

How Bad Was It?

The Email Thing (not fixed)

The email disclosure vulnerability was surprisingly straightforward once you understood the flow. Here's exactly how it worked:

The Attack Steps:

  1. Get a GToken with encryption parameters:

    • Make a POST request to /api/wear/genGtoken with your account credentials
    • This returns a gtoken and encryption keys (x and y parameters)

  2. Look up any username:

    • Take any Lovense username you want to get the email for
    • Encrypt the username using AES-CBC with the keys from step 1
    • Send POST request to /app/ajaxCheckEmailOrUserIdRegisted?email={encrypted_username}
    • Include your gtoken and X parameter in headers

  3. Get the encrypted user data:

    • The API returns encrypted user information including a fake email
    • Decrypt the response using the same AES-CBC keys

  4. Extract the real email through XMPP manipulation:

    • Connect to Lovense's XMPP server using your account
    • Take the fake email from step 3's API response and convert it to XMPP JID format (@ replaced by !!!, add _w suffix)
    • Example: cfc561791785b996b989593402dc41a8!!!lovense.remote.email_w@im.lovense.com
    • Add this fake JID as a contact to your XMPP roster
    • Send a presence subscription request to that JID
    • Fetch your roster - this returns both the fake JID you added AND the user's actual JID with their real email
    • Example real JID: xyzeva!!!riseup.net_w@im.lovense.com (which reveals the real email: xyzeva@riseup.net)
    • The XMPP server links them by ofId, so you can match and extract the real email
    • Remove the contact to clean up

The whole process took maybe 30 seconds per username manually, with the script we made though to automate it, it took less than 1 second for a username to be converted to an email. We could have easily harvested emails from any public username list. This is especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed.

Taking Over Accounts (partially fixed)

While Eva and I were checking out the Lovense Connect app later, we found something even worse (Eva did most of the work) - it was making gtokens (auth tokens) without ever asking for a password. Just an email was enough.
haha yes

The Attack Steps:

  1. Get the target's email - Either from the email disclosure bug or if you already know it
  2. Set up the request parameters:
    • userName: The target's email
    • userType: "0"
    • pf: "connect-pc" (platform)
    • ver: "1.7.9" (version)
  3. Generate the signature:
    • Create an MD5 hash of: {platform}-#-{version}-#-{email}##0
    • Append timestamp: {md5hash}-#-{timestamp}
  4. Encrypt the signature using AES-CBC with:
    • Key: The app's hardcoded appId (a79643e665bb9833)
    • IV: The app's hardcoded appSecret (2DF65319C4D46284)
  5. Send POST request to https://apps.lovense-api.com/api/connect/genGtoken
  6. Get back a valid gtoken - No password needed!

These tokens worked on:

Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address.

The Timeline (Get Ready for This)

March 26, 2025: We reported both bugs to Lovense with help from Internet of Dongs.

March 26, 2025: They said they're looking at it.

March 27, 2025: They confirmed the bugs exist and they're working on fixes.

March 28, 2025: We also put both bugs on HackerOne.

April 8, 2025: On HackerOne:

April 9, 2025: After we explained you can literally take over ANY account including admins, they finally made it critical and added $2,000.

May 30, 2025: We told them nothing was fixed.

June 4, 2025: This is where it gets insane. They said:

  1. Account takeover was "fixed on April 7" (it wasn't)

  2. For the email leak, here's a snippet from their email:

    "Following your report, we conducted a thorough investigation and rolled out initial mitigation steps, including a temporary fix for the script path issue you identified. However, resolving the root cause involves deeper architectural work. We've launched a long-term remediation plan that will take approximately ten months, with at least four more months required to fully implement a complete solution. We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions. We've decided against this approach in favor of a more stable and user-friendly solution."

    Read that again. They wanted 14 MONTHS to fix it. They could fix it in 1 month but won't because "legacy versions"

June 14, 2025: We sent them a long email saying:

We suggested they just proxy the XMPP stuff. It would hide emails without breaking anything, work with old apps, and be quick to implement. They said they'd do it but ignored the idea completely.

June 15, 2025: They came back with new dates:

July 28, 2025: Guess what? Still broken:

The Real Problem: They Don't Care

They'd rather leave everyone's emails exposed for 14 months than make people update their apps. That June 4th email proves it - they literally chose old app support over user privacy.

The funny thing? Later they said they "fully agree that user privacy must take precedence over legacy compatibility."

Where We Are Now

  1. Emails still leak - XMPP roster still gives out emails

    Here's proof from today when pinning someone:

    UpdateSetTop API Request
    The app sends the email in the "jid" param - it got this from XMPP which still leaks it

  2. Account takeover "fixed" - You can still make gtokens with just an email (no password!). All endpoints I've tested reject them now, but why let them be made at all? It's like leaving your door open with a "do not enter" sign.

What This Means

This isn't just tech bugs. It's about:

If You Use Lovense

To Lovense: Your users deserve better. Stop putting old app support over security. Actually fix things. And test your fixes before saying they work.

Update (2025-07-29) - It Gets Worse

So after I posted this on Twitter, someone called @Krissy hit me up with some wild news. Turns out they found the EXACT SAME account takeover bug I did... except they found it back in September 2023. Almost two years ago, with their friend @SkeletalDemise.

But wait, it gets better. They also found an HTTP endpoint:

/api/getUserNameByEmailV2

This thing let you convert ANY email to username and vice versa. No XMPP dancing required - just a simple API call. Way easier than our convoluted method.

The Timeline That'll Make You Angry

September 4, 2023: @Krissy reports the account takeover bug to Lovense on HackerOne. Gets triaged as High severity initially.

September 28, 2023: Here's where it gets sketchy. Lovense says "I'd like to make it medium severity, would you agree with this?" Then immediately downgrades it from High to Medium and pays out $350. Their excuse? "These PC apps are deprecated, very few cam users still use them."

Same day: They claim it's "fixed" and mark it resolved.

Reality check: The fix was bullshit. @Krissy immediately retested. They found the account takeover and the email/username http endpoint still worked fine.

August 2024: @Krissy asks for disclosure. They ignore her and close it as "resolved."

Early 2025: The Http Endpoint for converting emails/usernames stopped functioning and was patched, without her being informed and after lying about it being patched in 2023.

March 2025: Eva, Rebane and I report the exact same account takeover bug that was supposedly "fixed" in 2023. But here's the kicker - when we pushed for it to be Critical, they actually listened and paid us $3,000 total.

July 2025: Still not properly fixed, still generates tokens but they dont work on most endpoints.

Just now: @Krissy wrote on the HackerOne post for the bounty to be re-evaluated since we got paid way more for the same bug they "fixed" in 2023.

So let me get this straight - they had nearly two years to fix a critical account takeover bug and just... didn't? They told the first researcher it was fixed when it wasnt, then when we reported the same bug again, suddenly it was news to them? And they'll pay $3,000 and upgrade the report to critical for some researchers but only $350 for others finding the exact same bug?

I was able to confirm this is all real because @Krissy added me as a collaborator on their original HackerOne report. The evidence is right there.

What This Really Shows

This isn't just about bad security practices anymore. This is about a company that:

When you find the same critical bug twice, two years apart, with the company claiming it's "fixed" both times... that's not incompetence. That's negligence.

This kind of behavior doesn't just harm users - it actively undermines the security research community. When companies lie about fixes, manipulate severity ratings for financial gain, and treat researchers inconsistently, it discourages responsible disclosure. Why would researchers bother reporting vulnerabilities privately when they might get lied to, underpaid, and ignored for years? Lovense's pattern here is exactly how you push researchers toward public disclosure or worse - selling vulnerabilities on gray markets instead of reporting them responsibly.

Update (2025-07-29) - Lovense's Response: More Lies to the Press

Lovense hasn't commented on my blog post directly, but they're now lying to journalists. Here's what they told Lawrence Abrams from BleepingComputer - and why it's complete bullshit:

Lie #1: "Fixed by end of June"

bullshit

They claim the email vulnerability was "fully fixed by the end of June." This is a complete lie. It still works perfectly. The XMPP server still leaks emails exactly as described in my original report.

Lie #2: Misrepresenting My Research

proof

They claim I said you need someone to "accept a friend request" to get their email. I never said that anywhere. Look at my actual HackerOne report - the attack works without any friend request acceptance. They're literally making up quotes to discredit the research.

This is their strategy: lie to journalists, misrepresent the research, and hope nobody checks.

The vulnerability still works today. They can lie to the press all they want - the technical evidence speaks for itself.

Thanks to eva and Rebane for helping with the research, and RenderMan from Internet of Dongs for the disclosure help.
I'll update this if Lovense ever actually fixes these bugs.