Lovense, a maker of internet-connected intercourse toys, has confirmed it has fastened a pair of safety vulnerabilities that uncovered customers’ non-public e-mail addresses and allowed attackers to remotely take over any person’s account.
Whereas the corporate stated the bugs had been “totally resolved,” its chief government is now contemplating taking authorized motion following the disclosure.
In a press release shared with TechCrunch, Lovense CEO Dan Liu stated the intercourse toy maker was “investigating the potential for authorized motion” in response to allegedly faulty studies concerning the bug. When requested by TechCrunch, the corporate didn’t reply to make clear whether or not it was referring to media studies or a safety researcher’s disclosure.
Particulars of the bug emerged this week after a safety researcher, who goes by the deal with BobDaHacker, disclosed that they reported the 2 safety bugs to the intercourse toy maker earlier this 12 months. The researcher revealed their findings after Lovense claimed it will take 14 months to completely deal with the vulnerabilities fairly than making use of a “sooner, one-month repair” that might have required alerting customers to replace their apps.
Lovense stated in its assertion, attributed to Liu, that the fixes put in place would require customers to replace their apps earlier than they’ll resume utilizing the entire app’s options.
Within the assertion, Liu claimed that there’s “no proof suggesting that any person knowledge, together with e-mail addresses or account data, has been compromised or misused.” It’s not clear how Lovense got here to this conclusion, given TechCrunch (and different shops) verified the e-mail disclosure bug by organising a brand new account and asking the researcher to establish the related e-mail deal with.
TechCrunch requested Lovense what technical means, reminiscent of logs, the corporate has to find out if there was any compromise of customers’ knowledge, however a spokesperson didn’t reply.
It’s not unparalleled for organizations to resort to authorized calls for and threats to attempt to block the disclosure of embarrassing safety incidents, regardless of few guidelines or restrictions within the U.S. prohibiting such reporting.
Earlier this 12 months, a U.S. unbiased journalist rebuffed a authorized risk from a U.Okay. courtroom injunction for precisely reporting a ransomware assault on U.Okay. non-public healthcare big HCRG. In 2023, a county official in Hillsborough County, Florida, threatened legal prices in opposition to a safety researcher underneath the state’s pc hacking legal guidelines for figuring out and privately disclosing a safety flaw within the county’s courtroom data system that uncovered entry to delicate filings.
{content material}
Supply: {feed_title}