Lovenese is a defect that allows people to take account without a password

SEX Toy Company Lovese leaks the email addresses for the users of the application and allow the account sensitivity without requesting a password, according to a security researcher. As mentioned before Popadahaker, who describes himself as an ethical infiltrator who is committed to exposing and reporting security weaknesses, They are accused of Lowense of not repairing a serious mistake that was first perceived in 2023.

According to the infiltrator (and later verified by TechcrunchLovenese allows to convert any user name into his email address with the correct knowledge, a defect they discovered at the beginning after a person concealed on the application. With their arrival at the Lovenese Application interface, they were able to obtain emails associated with any public user name in less than a second when the modified demand process is run through an automatic text program. They pointed out that the weak nature of these accounts is “especially bad for the CAM models” that use the Lovenese platform for work, and user names may share these purposes.

The researcher also realized that with an email address for the user (either an address you already or has been obtained using the above -mentioned disclosure error), they can create authenticated symbols that allowed them to take over the associated account without a password. This works with the Lovenese Chrome Extness and Lovenese Connect app, as well as the Cam101 program and the company’s Streammaster programs – and even the official accounts.

Bobdahacker said they initially reported the mistakes of Lovenese with the help of the Hacking Sex Tech project In March 2025, he received $ 3,000 in total to inform them via the Hackerone safety platform. After a series of reactions with the representatives of lovenese, they were told in early June that the calculation error was repaired during the previous month, which the researcher claims to be incorrect. Regarding the defect of e -mail detection, Loves said in A. Bobdahacker printed it that it may take up to 14 months to fix the problem, as the fastest one -month repair “requires forcing all users to upgrade immediately”, which he said is “disrupting support for old versions.”

The researcher continued, saying that they were contacted by the Twitter user who claimed that he found the same account dating back to 2023, and was informed shortly after the report was reported that the defect was resolved, which was not. They said that the correction eventually fixed their way, which used the HTTP end point to convert the name of a user into an email address, but it was not offered until early in 2025. Bobdhacker said they asked for a comment from loveness but at the time of writing this report they did not receive one.

This is not the first time that lovene users stumbled privacy Anxiety insects. In 2017, Reddor The Lovenese application, which allows users to control their sexual games remotely, was recording the sound without their consent and preserving them on their phones. Commenting on Reddit Who claimed to be a representative of Luffy, called the recordings “a mistake in secondary programs” that affected the Android version of the application and said at that time that he was fixed in an update.