Lovense security Flaws: Account Hijacking and Delayed Fixes Raise User Concerns
Lovense, a company specializing in remote pleasure products, faced scrutiny this year following the finding of notable security vulnerabilities in its applications. Initial reports indicated a potential account hijacking flaw, which was later deemed critical after researchers demonstrated its potential for full administrative access. This incident highlights the ongoing challenges of securing connected devices and the importance of prioritizing user security.
Initial Discovery and Severity Assessment
Researchers initially identified a flaw that appeared less severe. However, after demonstrating the potential for complete administrative control, lovense reclassified the vulnerability as critical. This underscores the need for thorough security assessments and a willingness to reassess risk levels as new facts emerges.
Bug Bounty and Patching Delays
The researchers were compensated with $3,000 for responsibly disclosing these security issues.Lovense initially claimed a fix was deployed on June 4th, but the researchers quickly confirmed this wasn’t the case.
ultimately, the account hijacking flaw was addressed in July. However, a separate email-related vulnerability is slated for a much longer remediation timeline – approximately 14 months.
Lovense’s Explanation for Delayed Email Fix
Lovense explained that a faster, one-month fix for the email flaw would necessitate forcing all users to immediately upgrade their apps. this, they argued, would disrupt support for older app versions. They opted for a more gradual approach, prioritizing stability and user experience.
“We’ve launched a long-term remediation plan that will take approximately ten months,with at least four more months required to fully implement a complete solution,” Lovense stated.
Researcher Criticism and Concerns
The researchers expressed strong criticism of Lovense’s response, particularly the repeated claims of fixes that were not effective. They argued that prioritizing support for legacy app versions over security is unacceptable.
“Your users deserve better. Stop putting old app support over security.Actually fix things. and test your fixes before saying they work,” one researcher stated.
Mitigation Attempts and Unclear Results
Lovense deployed a proxy feature on July 3rd, suggested by the researchers, to mitigate the attack. However, even after a forced app update, the vulnerability remained unresolved, leaving the effectiveness of the change unclear.
History of Security Issues
This isn’t the first time Lovense has faced security concerns. In 2016,multiple flaws were discovered that exposed user email addresses or allowed attackers to determine account existence. This history raises questions about the company’s overall security posture and commitment to protecting user data.
What this means for you: If you are a Lovense user, it’s crucial to keep your app updated to the latest version. Be vigilant about any suspicious activity in your account and consider enabling two-factor authentication if available.
This situation serves as a reminder of the importance of security in the rapidly growing market of connected devices. Companies must prioritize robust security practices and clear interaction with their users to maintain trust and protect sensitive information.
