Website: https://www.lelo.com/ - https://picobong.com
Vulnerability disclosure address: None Yet Public
Status: Early discussions


  • Date Posted:8/30/2017
  • Type of Vulnerability: Embedded MailChimp API Key
  • Products affected: Picobong Remoji Android app v1.2.2
  • Found and reported by: RenderMan
  • Date Reported: 8/23/2017
  • Description: The Remoji app incorrectly implemented the MailChimp newsletter signup function.
    The app contained the full access API key in plain text which would allow an attacker full administrative control of the MailChimp account, including all mail lists subscriber info and the ability send mail from Lelo.
  • Remediation: The app now implements newsletter signups properly as per MailChimp best practices. The API key has been removed from the app and retired from the MailChimp account.