A company that makes a chastity device for people with a penis that can be controlled by a partner over the internet exposed users’ email addresses, plaintext passwords, home addresses and IP addresses, and — in some cases — GPS coordinates, due to several flaws in its servers, according to a security researcher.
The researcher, who asked to remain anonymous because he wanted to separate his professional life from the kink-related work he does, said he gained access to a database containing records of more than 10,000 users, thanks to two vulnerabilities. The researcher said he exploited the bugs to see what data he could get access to. He also reached out to the company on June 17 alerting them of the issues in an attempt to get them to fix the vulnerabilities and protect their users’ data, according to a screenshot of the email he sent and shared with TechCrunch.
As of publication, the company has yet to fix the vulnerabilities and did not respond to repeated requests for comment from TechCrunch.
“Everything's just too easy to exploit. And that's irresponsible,” the researcher told TechCrunch. “So my best hope is that they will contact either you or me and fix everything.”
Because the vulnerabilities are not fixed, TechCrunch is not identifying the company in order to protect its users, whose data is still at risk. TechCrunch also contacted the company’s web host, which said it would alert the device maker, as well as China’s Computer Emergency Response Team, or CERT, in an effort to also alert the company.
Given that he wasn’t getting any answers, on August 23 the researcher defaced the company’s homepage in an attempt to warn the company again, as well as its users.
“The site was disabled by a benevolent third party. [REDACTED] has left the site wide open, allowing any script kiddie to grab any and all customer information. This includes plaintext passwords and contrary to what [REDACTED] has claimed, also shipping addresses. You're welcome!” the researcher wrote. “If you have paid for a physical unit and now cannot use it, I'm sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs.”
Less than 24 hours later, the company removed the researcher’s warning and restored the website. But the company did not fix the flaws, which remain present and exploitable.
In addition to the flaws that allowed him to gain access to the users’ database, the researcher found that the company's website is also exposing logs of users’ PayPal payments. The logs show the users’ email addresses that they use on PayPal, and the day they made the payment.
The company sells a chastity cage for people with a penis that can be linked to an Android app (there is no iPhone app). Using the app, a partner — who could be anywhere in the world — can follow their partners’ movements, given that the device transmits precise GPS coordinates down to a few meters.
This is not the first time hackers exploit vulnerabilities in sex toys for men, in particular chastity cages. In 2021, a hacker took control of people’s devices and demanded a ransom.
"Your cock is mine now," the hacker told one of the victims, according to a researcher who discovered the hacking campaign at the time.
The year before, security researchers had warned the company of serious flaws in its product that could be exploited by malicious hackers.
Over the years, other than actual data breaches, security researchers have found several security issues in internet-connected sex toys. In 2016, researchers found a bug in a Bluetooth-powered “panty buster,” which allowed anyone to control the sex toy remotely over the internet. In 2017, a smart sex toy maker agreed to settle a lawsuit filed by two women who alleged the company spied on them by collecting and recording “highly intimate and sensitive data” of its users.
Do you know of any similar hacks or data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or email firstname.lastname@example.org. You also can contact TechCrunch via SecureDrop.