Security camera maker Wyze recently informed its users of a security incident that occurred during a service outage last Friday morning, affecting a small fraction of customers.
The company said over 99.75% of Wyze accounts, including the recipients of the email, were not impacted by the incident. The outage, blamed on an issue with their partner AWS, temporarily disabled Wyze devices, preventing access to live camera feeds and event videos.
But here’s where it got really weird and pretty scary. As camera functionality was being restored, a security lapse was identified, allowing some users to access incorrect thumbnails and event videos in their Events tab. Wyze responded promptly by disabling access to the affected tab and launched an investigation.
Approximately 13,000 Wyze users were presented with thumbnails not associated with their accounts, and 1,504 users interacted with these thumbnails, with some managing to view event videos belonging to others. Wyze has since notified all affected users directly, confirming that the accounts receiving the email were not among those compromised. That’s a bit of a shocking security breach, to let others see private camera feeds. You literally had one job and that’s to protect the privacy of your users.
The root cause of the incident was traced back to a third-party caching client library recently added to Wyze’s system. This library failed under the stress of devices simultaneously reconnecting, leading to a mix-up in device ID and user ID mappings.
“To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday,” said Wyze.
“We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred,” concluded Wyze.
The outrage at Waze was also on Reddit as well, where many cited they had cancelled their accounts with the company.
All it takes is one security lapse to lose the trust of your customers. This is definitely not something to take lightly, considering how some cameras could be used as baby monitors and more.
