Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

Anonymity and privacy researcher Sarah Jamie Lewis realized that a connected sex toy's "email a blowjob" feature had significant security vulnerabilities and has produced an entertaining and delightful Twitter thread explaining how she was able to both fingerprint electronic blowjob description files and disrupt them with code-injection attacks.


The unnamed connected sex toy allowed one partner to design a blowjob by specifying actions the toy should take, with associated timings; then you could package up your lovingly crafted blowjob and email a link to it to your partner.

However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, "I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals…"

If you want to support Lewis's work — which primarily deals with identifying and publicizing de-anonymization vectors in the Tor network — you can back her Patreon.

(Thanks, Fipi Lele!)