Lovense DVE Reports

Lovense

Website: https://www.lovense.com/
Vulnerability disclosure address: security@lovense.com
Status: Trusted partner vendor

DVE-2016-01

  • Date Posted:12/12/2017
  • Type of Vulnerability: Remote User Email Enumeration
  • Products affected: Lovense Bodychat and Wearables Apps Versions affected: Lovense Body chat before v2.8.2 (Android & iOS), Wearables before v1.7.0 (Android & iOS)
  • Found and reported by: RenderMan
  • Date Reported: 11/4/2016
  • Description: The http://im.lovense.com/ajaxCheckEmailOrUserIdRegisted script is used by the apps to determine if a users email has an account associated with it for the purposes of "pairing" users for remote control. This returns "true" or "false" to the client and as can be queried without authentication and minimal rate limiting. As a result it is trivially easy to query a list of email addresses to determine if any have accounts with Lovense.
  • Remediation: Rate limiting is in place to prevent such enumeration and larger overhaul of the user account system is planned for the near future.

DVE-2016-02

  • Date Posted:12/12/2017
  • Type of Vulnerability: Remote User Email Disclosure
  • Products affected: Lovense Wearables App Versions affected: Lovense Wearables before v1.7.0 (Android & iOS)
  • Found and reported by: RenderMan
  • Date Reported: 11/4/2016
  • Description: The Wearables app has functionality for users to create and share vibration patterns. In the "Marketplace" for these patterns, the entries for each have the title of the pattern, username (optional), like counts, etc. The email address of the creator is included in the server response but is not displayed in the app. Anyone can easily harvest email addresses of Lovense users that the user may not have wished to disclose.
  • Remediation: Email field is still included in the response however it is no longer populated

DVE-2016-03

  • Date Posted:12/12/2017
  • Type of Vulnerability: Remote User Email Enumeration
  • Products affected: Lovense Bodychat Versions affected: Bodychat before v2.8.2 (Android & iOS)
  • Found and reported by: RenderMan
  • Date Reported: 11/4/2016
  • Description: The https://im.lovense.com/getAppNotifications script is used by the apps to download news updates for the bodychat app. The API call sends the logged in users email as a verification that an account exists. This function ignores the JSESSION ID and can be used to enumerate against a list of email addresses to determine if any have Lovense accounts.
  • Remediation: Service has been decommissioned and completely redesigned