According to the security researcher, the sex toy company Luns is leaking the email addresses of its app users and allowing the account -takeover without asking for a password. As reported TakkarchBoobhakar, who describes himself as a moral hacker who is committed to exposing and reporting security threats, published a broad report in which he alleges that he was accused of failing to fix a serious issue, which was first informed about in 2023.
According to the hacker (and later certified Takkarch), Lunus allows any username to change its email address with the right information, a flaw that he initially discovered after silenced someone on the app. With their access to Levins’ API, they managed to obtain emails affiliated with any public username when running a modified application process through an automatic script. He noted that the weak nature of these accounts is especially bad for the “Kim Model” that uses the Leone Platform for work, and can share their usernames for these purposes.
The researcher also realized that with the user’s email address (either already known or obtained using the aforementioned disclosure bug), he could produce a autobiographical token that could allow him to handle the relevant account without a password. It allegedly worked for the Luns Chrome Extension and Lewins Connect app, as well as the company’s CAM101 and stream master software – and even admin accounts.
He said he initially reported insects in March 2025 with the help of the Internet -Dongs sex hacking project, and received 000 3,000, a total of 3,000, to flag them through the hacker security platform. After numerous interaction with love representatives, he was told in early June that the account takeover bug was fixed during the last month, which the researcher claims that this is not true. Regarding the defects of the email, Luns said in a statement printed by Bubbadar that it could take up to 14 months to resolve the issue, as a month’s faster fix would “need to force all users to immediately upgrade,” which has been said to “disrupt the inheritance version”.
The researcher added that he was contacted by a Twitter user who claimed to have found the same account take over Big by 2023, and was told shortly after reporting Luns that the bug had been resolved, which was not the case. He said that eventually a patch set his procedure, which used the HTTP closing point to convert the username into an email address, but that it was not terminated until the early 2025. Bubhakar said that he had requested Lavis to comment but had not received one in the written time.
This is not the first time that lovers of love have stumbled upon privacy worms. In 2017, a Redder discovered that the Luns app, which allows users to control their sex toys from afar, is recording audio without their consent and saving it on their phone. A commentator on the Reddate Post, who claimed to be a love representative, described the recording as a “minor software bug” that influenced the app’s Android version and said it had been fixed in a refreshment at the time.
