Maker of ‘smart’ chastity cage left users’ emails, passwords, and locations exposed


Share post:

A company that makes a chastity device for people with a penis that can be controlled by a partner over the internet exposed users’ email addresses, plaintext passwords, home addresses and IP addresses, and — in some cases — GPS coordinates, due to several flaws in its servers, according to a security researcher.

The researcher, who asked to remain anonymous because he wanted to separate his professional life from the kink-related work he does, said he gained access to a database containing records of more than 10,000 users, thanks to two vulnerabilities. The researcher said he exploited the bugs to see what data he could get access to. He also reached out to the company on June 17 alerting them of the issues in an attempt to get them to fix the vulnerabilities and protect their users’ data, according to a screenshot of the email he sent and shared with TechCrunch.

As of publication, the company has yet to fix the vulnerabilities, and did not respond to repeated requests for comment from TechCrunch.

“Everything’s just too easy to exploit. And that’s irresponsible,” the researcher told TechCrunch. “So my best hope is that they will contact either you or me and fix everything.”

Because the vulnerabilities are not fixed, TechCrunch is not identifying the company in order to protect its users, whose data is still at risk. TechCrunch also contacted the company’s web host, which said it would alert the device maker, as well as China’s Computer Emergency Response Team, or CERT, in an effort to also alert the company.

Given that he wasn’t getting any answers, on August 23 the researcher defaced the company’s homepage in an attempt to warn the company again, as well as its users.

“The site was disabled by a benevolent third party. [REDACTED] has left the site wide open, allowing any script kiddie to grab any and all customer information. This includes plaintext passwords and contrary to what [REDACTED] has claimed, also shipping addresses. You’re welcome!” the researcher wrote. “If you have paid for a physical unit and now cannot use it, I’m sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs.”

Less than 24 hours later, the company removed the researcher’s warning and restored the website. But the company did not fix the flaws, which remain present and exploitable.

In addition to the flaws that allowed him to gain access to the users’ database, the researcher found that the company’s website is also exposing logs of users’ PayPal payments. The logs show the users’ email addresses that they use on PayPal, and the day they made the payment.

The company sells a chastity cage for people with a penis that can be linked to an Android app (there is no iPhone app). Using the app, a partner — who could be anywhere in the world — can follow their partners’ movements, given that the device transmits precise GPS coordinates down to a few meters.

This is not the first time hackers exploit vulnerabilities in sex toys for men, in particular chastity cages. In 2021, a hacker took control of people’s devices and demanded a ransom.

“Your cock is mine now,” the hacker told one of the victims, according to a researcher who discovered the hacking campaign at the time.

The year before, security researchers had warned the company of serious flaws in its product that could be exploited by malicious hackers.

Over the years, other than actual data breaches, security researchers have found several security issues in internet-connected sex toys. In 2016, researchers found a bug in a Bluetooth-powered “panty buster,” which allowed anyone to control the sex toy remotely over the internet. In 2017, a smart sex toy maker agreed to settle a lawsuit filed by two women who alleged the company spied on them by collecting and recording “highly intimate and sensitive data” of its users.

Do you know of any similar hacks or data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or email You also can contact TechCrunch via SecureDrop.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

X will be profitable in 2024, CEO claims in tense interview

According to X CEO Linda Yaccarino, the company formerly known as Twitter will be profitable by early...

Epic asks the Supreme Court to weigh in on its beef with Apple

We haven’t heard the last of Epic’s crusade against Apple over the iPhone maker’s App Store fees. Epic...

From AI Assistant to image restyler: Meta’s new AI features

Meta announced a host of new AI-powered bots, features and products to be released across its messaging...

Regulators close investigation into Blue Origin’s New Shepard anomaly

The U.S. Federal Aviation Administration has closed the investigation into a mishap that occurred last September during...

Artifact takes on X and Threads with new Posts feature

Artifact, a platform built by Instagram’s co-founders, is launching the ability for users to make posts. Up...

Meta filmed Mr Beast, Paris Hilton and 26 more to build celebrity AIs based on Llama 2

Actors are in the middle of a major, protracted battle with Hollywood over what role AI will...

Can Bird’s Spin acquisition give it the lift it needs?

After being delisted from the NYSE, regaining investor confidence won't be easy It’s been over a year since...

Mark Zuckerberg went 33 minutes without saying ‘metaverse’ at his keynote

When Meta rebranded from Facebook two years ago, the word “metaverse” went mainstream. Even people outside the...