An organization that makes a chastity machine for folks with a penis that may be managed by a companion over the web uncovered customers’ e-mail addresses, plaintext passwords, residence addresses and IP addresses, and — in some instances — GPS coordinates, as a result of a number of flaws in its servers, in keeping with a safety researcher.
The researcher, who requested to stay nameless as a result of he wished to separate his skilled life from the kink-related work he does, mentioned he gained entry to a database containing data of greater than 10,000 customers, thanks to 2 vulnerabilities. The researcher mentioned he exploited the bugs to see what knowledge he may get entry to. He additionally reached out to the corporate on June 17 alerting them of the problems in an try and get them to repair the vulnerabilities and shield their customers’ knowledge, in keeping with a screenshot of the e-mail he despatched and shared with TechCrunch.
As of publication, the corporate has but to repair the vulnerabilities, and didn’t reply to repeated requests for remark from TechCrunch.
“Every thing’s simply too straightforward to use. And that’s irresponsible,” the researcher informed TechCrunch. “So my greatest hope is that they are going to contact both you or me and repair every thing.”
As a result of the vulnerabilities aren’t mounted, TechCrunch isn’t figuring out the corporate with a view to shield its customers, whose knowledge remains to be in danger. TechCrunch additionally contacted the corporate’s internet host, which mentioned it might alert the machine maker, in addition to China’s Pc Emergency Response Group, or CERT, in an effort to additionally alert the corporate.
On condition that he wasn’t getting any solutions, on August 23 the researcher defaced the corporate’s homepage in an try and warn the corporate once more, in addition to its customers.
“The positioning was disabled by a benevolent third celebration. [REDACTED] has left the location large open, permitting any script kiddie to seize any and all buyer info. This contains plaintext passwords and opposite to what [REDACTED] has claimed, additionally delivery addresses. You’re welcome!” the researcher wrote. “When you have paid for a bodily unit and now can’t use it, I’m sorry. However there are millions of folks with accounts on right here and I couldn’t in good religion go away every thing up for grabs.”
Lower than 24 hours later, the corporate eliminated the researcher’s warning and restored the web site. However the firm didn’t repair the issues, which stay current and exploitable.
Along with the issues that allowed him to achieve entry to the customers’ database, the researcher discovered that the corporate’s web site can also be exposing logs of customers’ PayPal funds. The logs present the customers’ e-mail addresses that they use on PayPal, and the day they made the cost.
The corporate sells a chastity cage for folks with a penis that may be linked to an Android app (there isn’t any iPhone app). Utilizing the app, a companion — who could possibly be anyplace on the earth — can comply with their companions’ actions, on condition that the machine transmits exact GPS coordinates down to a couple meters.
This isn’t the primary time hackers exploit vulnerabilities in intercourse toys for males, particularly chastity cages. In 2021, a hacker took management of individuals’s units and demanded a ransom.
“Your cock is mine now,” the hacker informed one of many victims, in keeping with a researcher who found the hacking marketing campaign on the time.
The yr earlier than, safety researchers had warned the corporate of great flaws in its product that could possibly be exploited by malicious hackers.
Over time, apart from precise knowledge breaches, safety researchers have discovered a number of safety points in internet-connected intercourse toys. In 2016, researchers discovered a bug in a Bluetooth-powered “panty buster,” which allowed anybody to management the intercourse toy remotely over the web. In 2017, a sensible intercourse toy maker agreed to settle a lawsuit filed by two girls who alleged the corporate spied on them by amassing and recording “extremely intimate and delicate knowledge” of its customers.
Are you aware of any related hacks or knowledge breaches? From a non-work machine, you’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Telegram, Keybase, and Wire @lorenzofb, or e-mail lorenzo@techcrunch.com. You can also contact TechCrunch through SecureDrop.
