Lovense, the manufacturer of internet-connected adult toys, has confirmed that it has fixed a security vulnerability that allows attackers to take over the user’s account remotely by revealing the user’s private email address.
The company said the bug has been “completely resolved,” but its chief executive is now considering taking legal action after disclosure.
In a statement shared with TechCrunch, Lovense CEO Dan Liu said the sex toy maker is “examining possible legal action” in response to false reports of the bug. When asked by TechCrunch, the company did not clarify whether it was referring to media reports or disclosures by security researchers.
Details about the bug came to light this week after security researchers going on with the Bobda Hacker at the Handle revealed that they reported two security bugs to the manufacturer of sexual toys earlier this year. The researchers released their findings after claiming that it would take 14 months to fully address the vulnerability, rather than applying the “fastest month fixes” that users need to update their apps.
In a statement arising from Liu, Lovense said that users need to update the app before they can resume using all the features of the app.
In a statement, Liu argued that “there is no evidence to suggest that user data, including email addresses and account information, has been breached or misused.” It is not clear that Lovense has come to this conclusion, given that TechCrunch (and other outlets) validated the email disclosure bug by setting up a new account and asking researchers to identify relevant email addresses.
TechCrunch should ask Lovense for technical meanings such as logs and determine if there is a compromise on the user’s data, but the spokesman did not respond.
It is not unheard of for an organization to resort to legal demands and threats that seek to block disclosure of embarrassing security cases, despite the few rules and restrictions in the United States that prohibit such reports.
Earlier this year, independent US journalists rejected legal threats from UK court injunctions, as they accurately reported ransomware attacks on UK private health giant HCRG. In 2023, county officials in Hillsboro County, Florida threatened criminal charges against security researchers under the state’s computer hacking laws in order to identify and personally disclose security flaws in the county’s court records system that exposed access to sensitive applications.
