Smart-cam maker Wyze is informing customers of a nasty glitch that exposed some people’s video feeds to strangers – just months after an almost identical incident.
Wyze last week suffered a server outage that led to a caching issue, resulting in some “crossed wires” that ultimately allowed some users to access the video feeds of others.
“We had a caching issue from a third-party caching client library that was recently integrated into our system,” reads the most recent update on the Wyze forums. “It got overloaded after the outage Friday morning and got wires crossed while trying to come back online.”
A Reddit thread titled “I was watched by someone” describes one person’s experience with the glitch. Several other reports can also be found across the web, as highlighted by BleepingComputer.
Wyze issued emails to both affected and unaffected customers, displaying a high degree of transparency about an otherwise serious security lapse.
The latest toll is:
· About 13,000 users received thumbnails from cameras that were not their own.
· 1,504 tapped on those thumbnails. Most of the taps only enlarged the image but did not display any actual footage
· In a few cases involving hardware like Cam Plus Lite and sound detection events, clicking the thumbnail would not just enlarge the image, but also play the event video – and therefore some videos were indeed viewed.
· Videos from live streams were not affected.
According to Wyze, the event affected a little less than 0.25% of users, including users who received thumbnails and users whose thumbnails were sent to a different account.
Security issues aside, some customers are also struggling to regain control of their Wyze smart-cams. The company advises anyone having trouble with recovery to reboot or power-cycle their device.
“We are temporarily disabling the Event tab in the Wyze app to investigate a possible security issue and will have it back up soon,” the Wyze forums also say.
To prevent similar accidents from occurring again, Wyze says it has added a new layer of verification before users are connected to Event Videos.
The company has also made server-side amendments to bypass caching for checks on user-device relationships until it finds new client libraries that are thoroughly stress-tested for extreme events like these.
Unfortunately, this is not Wyze’s first such blunder. In December 2019, the company exposed the details of roughly 2.4 million customers.
And in September of last year, in a nearly identical series of events, some users reported they could see other people’s camera feeds in their Wyze cam web interface. When asked, the company blamed a web caching issue.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsDecember 19, 2024
November 14, 2024