29.07.2025
2 min
545
After our article was published, we received an official letter from a Lovense representative, in which the company assures that all identified vulnerabilities have already been fixed, and at the time of writing there is no evidence of leakage or compromise of user data, including email addresses or accounts. In the letter, Lovense also provides a link to the official statement of the CEO, which we attach below. We consider it necessary to note this as an example of a transparent and responsible response by the company to information risks.
A critical zero-day vulnerability has been discovered in the Lovense app for intimate devices, which allows an attacker to learn a user’s email address, given only their public name. This poses serious risks of doxxing, harassment, and leaking the confidential data of millions of people.
Lovense’s interactive toys are popular among online models and remote partners, but their integration with the app has become a vulnerability. A researcher under the pseudonym BobDaHacker, together with Eva and Rebane, discovered that through the XMPP protocol, it is possible to obtain the real email address of any user, given only their public nickname.
The attack works simply: the attacker receives a token and encryption keys via the official API, encrypts any known username, sends a request to check the existence of the account – and the server responds with an address in a format from which it is easy to decrypt the email.
The script is automated by a script and is executed in less than a second, which paves the way for mass collection of emails – especially vulnerable ones, for example, from models with FanBerry or profiles on forums.
Lovense is a manufacturer of remote-controlled intimate devices, with an audience of over 20 million. The application allows connection via XMPP chats, subscriptions, other platforms. Similar vulnerabilities have been discovered before: back in 2016, researchers found email leaks and the ability to check the existence of accounts.
Although the bug was reported to the company on March 26, 2025, a full fix has not yet been implemented. Lovense said it needed another 14 months to ensure compatibility with previous versions of the app. Meanwhile, researchers tested the promised fixes — and confirmed that they didn’t work.
Despite the popularity and technological sophistication of Lovense’s products, the company once again shows that commercial convenience is put above user safety. Deliberately delaying the patching of a known vulnerability demonstrates a critical disregard for privacy. In an era when private things can easily become public, this is unacceptable.
