A newly disclosed zero-day vulnerability in the connected sex toy platform Lovense allows attackers to obtain a user’s private email address simply by knowing their public username, putting millions of users at risk of doxxing and harassment.
Lovense, known for its app-controlled devices like the Lush, Gush, and Kraken, claims to have 20 million customers worldwide. The flaw is especially concerning for cam models and others who publicly share their Lovense usernames on forums or streaming platforms.
Security researcher BobDaHacker, working with researchers Eva and Rebane, discovered the flaw after reverse-engineering the Lovense app. They found that by exploiting interactions between the platform’s XMPP chat system and backend APIs, attackers could encrypt any known username and trigger a server response that reveals the user’s real email address. The process can be fully automated and executed in less than a second per target, without needing the victim to accept a friend request.
The same research team also uncovered a critical account hijacking flaw that allowed attackers to generate authentication tokens without passwords, potentially giving them full control of user and even admin accounts. While Lovense patched the account hijacking issue in July 2025, the email exposure vulnerability remains unfixed. The company says it will take about 14 months to implement a full solution to avoid breaking compatibility with older app versions.
Researchers have criticized Lovense’s slow response, accusing the company of repeatedly claiming the issues were fixed when they were not. Lovense has deployed partial mitigations, but tests indicate the flaw still works, leaving users vulnerable to targeted attacks and privacy violations.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
