A manufacturer of a ‘smart’ chastity device designed for individuals with male anatomy, which can be controlled remotely over the internet by a partner, has inadvertently exposed sensitive user information. This security breach resulted from multiple vulnerabilities in the company’s servers, as reported by a security researcher.
The researcher, who has chosen to remain anonymous to maintain a distinction between his professional work and kink-related interests, disclosed that he successfully accessed a database containing records of over 10,000 users through two identified vulnerabilities. His intent was to investigate the extent of data accessible through these flaws. Furthermore, he responsibly reached out to the company on June 17 to notify them of these issues, providing evidence in the form of an email screenshot shared with TechCrunch.
Regrettably, at the time of this publication, the company has not taken steps to rectify these vulnerabilities, and they have not responded to TechCrunch’s numerous requests for comments.
The researcher expressed concerns about the ease with which these vulnerabilities could be exploited, emphasizing the irresponsibility of the situation. He hopes that the company will take corrective action to protect its users and their data.
Given the unresolved vulnerabilities, TechCrunch refrains from revealing the company’s name to safeguard the privacy of its users, who are still at risk. Additionally, TechCrunch has contacted the company’s web host, which has pledged to notify the device manufacturer, as well as China’s Computer Emergency Response Team (CERT), to ensure that the company is informed of these issues.
Faced with a lack of response, the researcher took the extraordinary step of defacing the company’s homepage on August 23, aiming to alert both the company and its users. Within his message, he highlighted the company’s failure to secure customer data, including plaintext passwords and shipping addresses, which were contrary to the company’s claims.
Approximately 24 hours later, the company removed the researcher’s warning and restored its website. However, the vulnerabilities in the system remain unresolved and exploitable.
Furthermore, the researcher discovered that the company’s website inadvertently exposes logs of users’ PayPal payments. These logs reveal the email addresses users employed for PayPal transactions, along with the dates of their payments.
The company’s product consists of a chastity cage for individuals with male anatomy, which can be linked to an Android app (with no equivalent iPhone app). Through this app, a partner, regardless of their location, can monitor their partner’s movements due to the device’s precise GPS coordinates, which are transmitted down to a few meters.
This incident is not the first instance of hackers exploiting vulnerabilities in male sex toys, particularly chastity devices. In 2021, a hacker gained control of users’ devices and demanded a ransom, making alarming statements to victims.
In the preceding year, security researchers had previously warned the company about significant flaws in its product that could be exploited by malicious hackers.
In addition to actual data breaches, security researchers have uncovered various security issues in internet-connected sex toys over the years. In 2016, researchers identified a flaw in a Bluetooth-powered “panty buster,” enabling remote control of the sex toy over the internet. In 2017, a manufacturer of smart sex toys settled a lawsuit filed by two women who alleged that the company had spied on them by collecting and recording highly intimate and sensitive user data.
