A Lovense security flaw may be letting people take over accounts without a password

SEX Toy Company Lovese leaks the email addresses for the users of the application and allow the account sensitivity without requesting a password, according to a security researcher. As mentioned before Bobdahacker, who describes himself as an ethical infiltrator committed to exposing and reporting security weaknesses, accused Lowense of not repairing a serious mistake that was first perceived in 2023.

According to the infiltrator (and later verified by TechcrunchLovenese allows to convert any user name into his email address with the correct knowledge, a defect they discovered at the beginning after a person concealed on the application. With their arrival at the Lovenese Application interface, they were able to obtain emails associated with any public user name in less than a second when the modified demand process is run through an automatic text program. They pointed out that the weak nature of these accounts is “especially bad for the CAM models” that use the Lovenese platform for work, and user names may share these purposes.

The researcher also realized that with an email address for the user (either an address you already or has been obtained using the above -mentioned disclosure error), they can create authenticated symbols that allowed them to take over the associated account without a password. This works with the Lovenese Chrome Extness and Lovenese Connect app, as well as the Cam101 program and the company’s Streammaster programs – and even the official accounts.

Bobdahacker said they initially reported the mistakes that it raised to Lowense with the help of the Hacker Tech Sex Tech in March 2025, and they got $ 3,000 in total to inform it via the Hackerone Aman platform. After a series of reactions with the representatives of lovenese, they were told in early June that the calculation error was repaired during the previous month, which the researcher claims to be incorrect. Regarding the defect of email detection, lovenese said in printing by Bobdahacker that it may take up to 14 months to fix the problem, as the fastest one -month repair “requires forcing all users to upgrade immediately,” which he said is “disrupting support for old versions.”

The researcher went on to say that they were contacted by the Twitter user who claimed that he had found the same account dating back to 2023, and was informed shortly after the report was reported that the defect was resolved, which was not. They said that the correction eventually fixed their way, which used the HTTP end point to convert the name of a user into an email address, but it was not offered until early in 2025. Bobdhacker said they asked for a comment from loveness but at the time of writing this report they did not receive one.

This is not the first time that lovene users have faltered on private interest errors. In 2017, the Redditor app was that the Lovenese application, which allows users to control their sexual games remotely, was recording the sound without their consent and preserving them on their phones. One of the commentators, who claimed to be a loving actor, described the recordings as a “secondary programs” that affected the Android version from the application and said at that time that he was fixed in an update.