- The researchers found a way to extract email addresses from Lovense user accounts
- A mitigation was released, but supposedly it does not work as it was intended
- The company states that you still need months before connecting the leakage
Lovense, a sexual technology company that specializes in toys for intelligent and remotely controlled adults, had a vulnerability in their systems that could allow threat actors to see people’s private email addresses.
All they needed was that person’s username and apparently: these things are relatively easy to get.
Recently, security researchers under alias Bobdahacker, Eva, Rebane, discovered that if they knew someone’s username (perhaps they saw it in a forum or during a CAM show), they could log in to their own love account (which does not need to be something special, a regular user account will be sufficient), and use a script to convert the username into a false email (this step uses the encryption and parts Lovense for internal use).
That false email is added as a “friend” in the chat system, but when the system updates the contact list, the real email address is accidentally revealed behind the username in the background code.
Exfiltration automation
The entire process can be automated and performed in less than a second, which means that threat actors could have abused thousands, if not hundreds of thousands of email addresses, quickly and efficiently.
The company has approximately 20 million customers worldwide, so the attack surface is quite large.
The error was discovered along with another even more dangerous defect, which allowed the acquisition of accounts. While the company quickly remedied that, this has not yet been solved. Apparently, the company still needs “months” of work to connect the leak:
“We have launched a long -term remediation plan that will take approximately ten months, with at least four months more necessary to completely implement a complete solution,” Lovense told the researcher.
“We also evaluated a faster solution of a month. However, it would require all users to immediately update, which would interrupt the support for inherited versions. We have decided against this approach in favor of a more stable and easy to use solution.”
Lovense also said that he deployed a proxy characteristic as mitigation, but apparently, it does not work as planned.
How to stay safe
The attack is particularly worrying, since these records could contain more than enough information for computer pirates to launch highly personalized and successful phishing campaigns, which leads to identity theft, cable fraud and even ransomware attacks.
If you are worried that you have been caught in the incident, do not worry, there are a number of methods to find out. Haveibeenpwned? It is probably the best resource to verify if your data has been affected, offering a decrease in each large cybercrime incident of recent years.
And if you keep the passwords on a Google account, you can use the Google password verification tool to see if any has committed, or register in one of the best password administrator options that we have rounded to make sure that its session is protected.
Through Bleepingcomputer
