Wyze cameras — a smart camera company whose devices are sold on Amazon and Walmart — allowed 13,000 of its customers to look into other people’s homes.
Thousands of Wyze camera customers recently had images of their homes, and in some cases video footage, made visible to strangers, due to a “security event.”
I was watched by someone
byu/H3H3ather inwyzecam
Wyze says that the breach occurred as the company was attempting to bring its camera back online after an outage that “took down Wyze devices for several hours” earlier this month.
‘I Was Watched By Someone’
As the company worked to restore the camera feeds, the goings-on inside customers’ homes were inadvertently exposed to strangers, as Wyze users were shown images that didn’t belong to them.
Strangers viewed other customers’ enlarged thumbnail images, and in some cases, recorded event videos that were attached to them.
On a Reddit forum dedicated to Wyze camera owners, a “23-year-old girl” shared that she was “watched by someone” as she was getting ready for work during the security breach.
She says she felt “violated” and “disgusted and upset” following the incident and would be deleting her Wyze account as a result.
In an email to customers entitled “An Important Security Message from Wyze,” the company admitted to the breach and apologized.
Wyze blamed the security issue on “a third-party caching client library” that was recently integrated into its system.
“We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them,” the company says in the email.
“Most taps enlarged the thumbnail, but in some cases, an Event Video was able to be viewed. All affected users have been notified. Your account was not one of the accounts affected.
“The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once.
“As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
‘We Know This is Very Disappointing News’
Following the incident, the company says it has now added a new layer of verification to ensure users are only shown feeds that belong to them.
“To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos,” Wyze says in the email.
“We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress-tested for extreme events like we experienced on Friday.
“We know this is very disappointing news.”
In the email to the customers, Wyze claims that around 99.75 percent of its users were unaffected by the breach.
According to ArsTechnica, this is the second time that something like this has happened to Wyze customers in five months. In September, some Wyze users reported seeing feeds of cameras that they didn’t own via Wyze’s online viewer.
Wyze claimed that for 40 minutes, as many as 2,300 people who were logged in to the online viewer may have been able to see 10 strangers’ feeds. ArsTechnica reports that the company blamed this on a “web caching issue” and says that it deployed “numerous technical measures” to prevent the problem from repeating, including limiting account permissions, updating company policies and employee training, and hiring an external security firm for penetration testing.
Image credits: Header photo via Wyze Cameras.
Source link
