知名情趣用品品牌Lovense近日被曝出存在严重的两个安全漏洞。第一个漏洞允许通过应用内的静音功能轻易获取用户邮箱地址，进而无需密码即可完全接管用户账户。研究人员在3月发现此问题并通知Lovense，但公司声称需要14个月才能修复，期间仅实施了部分修复。7月28日，研究人员指出仍有1100万用户账户信息泄露。更令人担忧的是，该漏洞早在2022年就已被发现，但Lovense并未修复。在媒体曝光后，Lovense于7月30日终于发布了针对这两个漏洞的全面修复措施。值得注意的是，Lovense在2017年也曾因应用录制用户音频数据而引发争议。

💡 Lovense应用存在严重安全漏洞，用户邮箱和账户可被轻易窃取。研究人员发现，只需通过应用内的“静音”功能，即可轻易获取任何用户的邮箱地址。一旦获得邮箱，攻击者便可在无需密码的情况下生成令牌，从而完全控制用户账户，这一过程无需用户进行任何操作。

⏳ 漏洞披露与修复过程漫长且充满争议。研究人员于3月向Lovense报告了此问题，但公司最初表示需要14个月才能完成修复，原因是担心影响遗留用户。尽管期间进行了部分修复，但直至7月28日，仍有高达1100万用户账户信息被泄露。此外，有证据表明该漏洞早在2022年就已被发现，但Lovense当时并未采取有效措施。

📣 漏洞修复的最终推动力源于媒体曝光。在研究人员于7月28日发布更新，指出问题依然存在后，该事件引发了媒体的广泛关注。在新闻曝光两天后，Lovense才于7月30日正式推出了针对这两个主要漏洞的全面修复方案，解决了用户邮箱泄露和账户被接管的问题。

⚠️ Lovense并非首次出现安全问题。早在2017年，该公司就曾因其应用程序被曝出在用户使用应用和设备时秘密录制用户音频数据而受到批评。当时Lovense声称录制的音频数据并未发送至其服务器，并对该问题进行了修复。此次事件再次引发了对该公司数据安全和隐私保护的担忧。

Lovense is well-known for its selection of remote-controlled vibrators. It’s slightly less known for a massive security issue that exposed user emails and allowed accounts to be wholly taken over by a hacker without even needing a password. Fortunately, both issues have been fixed, but it didn’t happen without some drama. 

As the story goes, security researcher BobDaHacker (with some help) accidentally found out that you could uncover a user’s email address pretty easily by muting someone in the app. From there, they were able to figure out that you could do this with any user account, effectively exposing every Lovense user’s email without much effort. 

With the email in hand, it was then possible to generate a valid gtoken without a password, giving a hacker total access to a person’s Lovense account with no password necessary. The researchers told Lovense of the issue in late March and were told that fixes were incoming. 

In June 2025, Lovense told the researchers that the fix would take 14 months to implement because it did not want to force legacy users to upgrade the app. Partial fixes were implemented over time, only partially fixing the problems. On July 28, the researchers posted an update showing that Lovense was still leaking emails and had exposed over 11 million user accounts. 

"We could have easily harvested emails from any public username list," BobDaHacker said in a blog post. "This is especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed."

It was around then that the news started making its way around the news cycle. Other researchers began reaching out to show that the exploit had actually been known as far back as 2022, and Lovense had closed the issue without issuing a fix. After two more days in the news cycle, the sex toy company finally rolled out fixes for both exploits on July 30. 

It’s not Lovense’s first roll in the mud. In 2017, the company was caught with its proverbial pants down after its app was shown to be recording users while they were using the app and toy. Lovense fixed that issue as well, stating that the audio data was never sent to their servers.