In September, some Wyze webcams allowed random users to look into your home (or vice versa). And here we go again… Wyze co-founder David Crosby confirmed that at least a dozen users were able to briefly peek into someone else’s property by being shown the image from someone else’s camera.
We have now discovered a security issue that could allow some users to see videos from cameras that do not belong to them.
— Crosby told to The Verge.
After a lengthy outage that Wyze said was caused by AWS issues, at least 10 users reported that their Wyze app was showing them images they shouldn’t have seen — on someone else’s porch, and in some cases, living room. Some of the videos were from completely different time zones.
Wyze had previously concealed a security vulnerability for three years, failing to notify its customers that their unpatched version 1 cameras could theoretically allow hackers to access video streams over the Internet.
Dave Crosby, Chief Marketing Officer at Wyze:
Following an AWS outage this morning, our servers were overloaded, resulting in some user data being corrupted. We’ve now identified a security issue where some users could see thumbnails of cameras that don’t belong to them on the «Events» tab. Luckily, they could not watch live streams or view these videos, only thumbnails were visible.
So far, we have received 14 reports of such cases, but we are currently identifying all affected users. These users will be notified as soon as possible. We will also send a message to all Wyze users explaining what happened.
Once we saw these notifications, we closed the «Events» tab. We then added an extra layer of verification for each user before they could see the thumbnails. For added security, we are forcing all users who have used the Wyze app today to log out to reset their tokens.
We’ll explain in more detail once we’ve completed our investigation into exactly how this happened and the next steps we’ll take to make sure it doesn’t happen again. Once again, we apologize for the inconvenience today. We thank everyone who helped us report the incidents and get our devices back up and running. We sincerely apologize to everyone who was affected.