Sexy Toy Compense leaks email addresses to their app users and allowing accounts to be taken without requesting a password, according to the security auditor. As reported by Bobdahacker, describing themselves as a well-behaved person who is committed to creating and reporting security risks, published when they accused the area of the seriousness of the serious bug.
According to the hackers (and later be verified by Techcrunch), Loedensse allows any username to be answered into their email address for relevant information, which received the back after converting someone to the app. With their investment API, they managed to receive accompanied emails to any public public name that is less than a second time when using the converted application process through automatic text. They noted that the endangered version of these accounts are “not very bad in cam models” using Leave’s platform to work, and they can share their names for these purposes.
The Researcher also recognized that by the user’s email address (whether one of which was already aware of or one received to use the above-mentioned bug), they could produce authority to take a related account without password. This is alleged to work with Lovelonse Chrome Extension Extension and lovelyu Connect App, and Cam10’s Cam101 and streammaster software – and management accounts.
Bobdahacker said it was originally reported the bugs to dedicate the help from the Tech Tech Hacking project on March 2025, and they received $ 3,000 in general to use the Hackerone security platform. After the workshop Loldse Loldse, they are told at the beginning of June that the account took the bug and arranged last month, the researcher said it was not true. Regarding the disclosure of the e-mail, Loldse said with Bobdahacker that it would take 14 months to fix the problem, as one month’s repair, “which interferes with all users that”
The researcher continued to be affected by a Twitter user who received the same account that took a disturbance in the remainder and 2023, and was told shortly after reporting that the bug was resolved, which is not true. They said the patch ended their way, using the HTTP fate to convert the user name to an email address, but that it was not released until at the outset of 2025.
This is not the first time the lovyense users who trigger bugs regarding privacy. In 2017, the Redditor with a lolvense app, allows users to control their local phone toys remotely, recording audio without their consent and saves us on their phone. The Reddit Appendix, called recording of the “Small software software” touching Android type of app and said when it was repaired with the update.
