TL;DR
- Wyze accidentally let up to 13,000 users briefly see into the homes of other customers.
- The breach is far greater than what was initially reported.
- The company claims that “a third-party caching client library” is at fault.
Last year, Wyze got in some hot water after smart home owners reported they were briefly able to see video feeds from cameras they didn’t own. A week ago, the issue popped up again with co-founder David Crosby stating that at least dozens were affected. We’re now finding out that the number of people affected is far greater than what was initially reported.
Wyze customers were sent an email to explain a recent outage and a subsequent security issue. In the email, the company blames its web hosting provider — AWS — for the outage that prevented users from accessing live cameras or Events. It appears the security issue occurred as Wyze attempted to bring its services back online.
Wyze claims a “third-party caching client library” was the cause of the breach:
The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.
The security issue in question allowed some users to see into the homes of other people. Reportedly, an estimated 13,000 users were allowed to see thumbnails of other homes. On top of that, Wyze says 1,504 people who tapped on those thumbnails were able to view video taken from those homes.
On it’s part, Wyze says it “immediately removed access to the Events tab and started an investigation.” The company adds that to prevent the problem from happening again, it has tacked on “a new layer of verification” for Event Videos. In addition, Wyze says it has “modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.”
Although the company has owned up to the mistake, that hasn’t stopped users from flocking to Reddit to voice their frustrations.
