Smart male chastity lock cock-up – plot thickening

Yes, we’ve actually found something worse!

Qiui sent out a press statement after the publication of the security flaws in their API. It drew a lot of criticism, primarily as it deflected from the core issue that Qiui hadn’t dealt with customer security properly in the 7 months since we first disclosed the issues to them.

I couldn’t help but laugh when I saw this tweet in response from @buttplugio, a respected researcher in the field of teledildonics:

Qiui have taken down the tweet containing their press release, however we were quite disappointed by their response generally.

I took a quick look at their web admin interface. https://www.qiuitoy.com//qiui/admin/index.html#/login was where Qiui staff themselves could administrate the whole platform, where they could unlock users, where all user account data, chat, everything was stored.

Whilst it implemented user authentication through the above login, it failed completely to authorise requests.

Hence, any content on the platform was totally exposed. Here’s an example:

Someone could probably take over the entire platform and lock Qiui staff and admins out of it of their own system.

With the help and support of RenderMan from @internetofdongs we approached Jake Guo from Qiui late last night and strongly recommended that they take the platform offline to fix it, given the degree of risk they were exposing customers to.

This morning, the admin platform was taken down. Thankfully it now gives a 404 error.

There have also been reports of users receiving blackmail threats. It’s possible that nefarious actors found this issue before us and have already exploited it. It’s also possible that the blackmail threats are simply opportunistic, so no data has actually been stolen.

A crazy 24 hours.