Some Wyze camera owners have reported suddenly gaining access to cameras that don’t belong to them and even receiving notifications about events in other people’s homes. Wyze co-founder David Crosby confirmed the matter The Verge, told the publication that “some users were able to see thumbnails of cameras that were not theirs in the Events tab.” Users started seeing camera feeds of strangers on their accounts after an outage that Wyze said was caused by an Amazon Web Services issue.
Crosby wrote in a Post on the Wyze forum After the outage, the company’s servers were overloaded, causing some user data to be corrupted. A security issue resulting from that incident later allowed users to “see thumbnails of cameras that are not theirs in the Events tab.” Users couldn’t watch those videos and could only see their thumbnails, it clarified, and they couldn’t watch live streams from other people’s cameras. Wyze was able to identify 14 events before eliminating the Events tab entirely.
The company said it will notify all affected users and forcibly log out anyone who recently used the Wyze app to reset tokens. “Once we investigate how this happened, we will explain further and take steps to ensure it doesn’t happen again,” Crosby said.
While the company has yet to provide a detailed explanation of what happened, its quick acknowledgment of the incident is a big departure from how it has handled security flaws in the past. Cyber security firm Bitdefender in 2022 revealed In March 2019, he notified Wyze of a major security vulnerability in the Wyze Cam v1. However, the company did not notify customers about the defect and did not even provide a fix after three years.
Update, February 20, 2024, 9:08 PM ET: In an email obtained by Engadget, Wyze acknowledges to affected users that “about 13,000 Wyze users received thumbnails from cameras they didn’t own and 1,504 users tapped them. Most taps zoomed in on the thumbnail, but in some cases Event Video was able to do so. Please see.”
The company explained that the bug was caused by a mix-up of device ID and user ID mapping, as a new third-party caching client library struggled to cope with the “unprecedented” data load from client devices. once. Wyze promises to prevent this from happening again by adding a “new layer of validation” for connections, and to look for more reliable client libraries to handle such incidents.
