A security researcher has discovered serious vulnerabilities in a company that manufactures an internet-controlled chastity device for males that exposed users’ email addresses, plaintext passwords, home addresses and IP addresses, and — in some cases — GPS coordinates.
According to TechCrunch, the researcher gained access to a database containing records of over 10,000 users using two vulnerabilities. The researcher exploited the bugs to see what data it could get access to.
Additionally, the researcher informed the company of the vulnerabilities on June 17, urging them to fix them and protect their users.
As of now, the company has not addressed the vulnerabilities yet, the report mentioned.
“Everything’s just too easy to exploit. And that’s irresponsible. So my best hope is that they will contact either you or me and fix everything,” the researcher was quoted as saying.
Moreover, the researcher defaced the company’s homepage in an attempt to warn the company and its users.
“The site was disabled by a benevolent third party. (REDACTED) has left the site wide open, allowing any script kiddie to grab any and all customer information. This includes plaintext passwords and contrary to what (REDACTED) has claimed, also shipping addresses. You’re welcome!” the researcher wrote.
“If you have paid for a physical unit and now cannot use it, I’m sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs,” it added.
The company removed the researcher’s warning and restored the website less than 24 hours later. However, the company did not address the flaws, which are still present and exploitable, the report said.
Aside from the flaws that allowed the researcher access to the users’ database, it was discovered that the company’s website exposes logs of users’ PayPal payments.
The logs show the users’ PayPal email addresses as well as the date they made the payment, according to the report.
The company’s chastity device is intended to be controlled by a partner via an Android app. By transmitting precise GPS coordinates, the app allows partners to track the device wearer’s movements.