A security researcher has discovered that the maker of a ‘smart’ chastity cage for individuals with a penis has left sensitive user data exposed due to several server vulnerabilities. The researcher, who chooses to remain anonymous, gained access to a database containing information of over 10,000 users by exploiting two vulnerabilities. The compromised data includes email addresses, plaintext passwords, home addresses, IP addresses, and in some cases, GPS coordinates.
The researcher promptly alerted the company about the flaws on June 17, in an attempt to urge them to address the vulnerabilities. However, as of now, the company has failed to fix the issues and has not responded to multiple requests for comment from TechCrunch.
Key Takeaway
A ‘smart’ chastity cage manufacturer has left its users exposed by not addressing critical server vulnerabilities, allowing unauthorized access to sensitive information, including email addresses, passwords, and GPS coordinates. The company has not responded to the security researcher’s notifications, leaving user data at risk.
Due to the unresolved vulnerabilities, TechCrunch has chosen not to disclose the name of the company to safeguard its users’ data. TechCrunch also contacted the company’s web host and China’s Computer Emergency Response Team (CERT) to notify them about the situation.
In an effort to exert pressure on the company, the researcher defaced the company’s homepage on August 23, providing a warning to the company and its users. However, the company merely removed the warning without addressing the flaws, leaving the vulnerabilities exploitable.
Aside from the data breach, the researcher discovered that the company’s website exposes logs of users’ PayPal payments, including their email addresses and payment dates.
The chastity cage, designed for individuals with a penis, allows partners to control the device remotely through an Android app. The app enables partners, regardless of their location, to monitor the wearer’s movements by transmitting precise GPS coordinates.
Unfortunately, this is not the first instance of hackers exploiting vulnerabilities in sex toys. In a previous incident in 2021, a hacker gained control of similar devices and demanded a ransom from victims. Moreover, security researchers had previously alerted the company about severe flaws in its product.
Over the years, security researchers have identified various security issues in internet-connected sex toys. In 2016, a bug was found in a Bluetooth-powered “panty buster” that allowed unauthorized individuals to control the toy remotely via the internet. Additionally, in 2017, a smart sex toy manufacturer settled a lawsuit filed by users who accused the company of collecting and storing their highly intimate and sensitive data.
It is crucial for companies that manufacture such intimate internet-connected devices to prioritize user privacy and security. Failing to address security vulnerabilities exposes users to potential harm and compromises their personal data.
