Five months ago, we wrote about how your Wyze webcam might have let strangers peek into your house. Today, it happened again. Wyze cofounder David Crosby confirms that at least a dozen users were able to briefly see into a stranger’s property because they were shown an image from someone else’s camera.
“We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab,” he told The Verge.
After an extended outage that Wyze says stemmed from problems with AWS, we found ten different Redditors reporting that their Wyze app showed them images they shouldn’t have seen — including glimpses of a stranger’s porch or in some cases, a living room. Some of the videos were from entirely different timezones.
“One of my cameras notified me of an event from inside someone else home with them in it walking around,” begins one post. “I just got a motion detection notification with a picture for someone else’s house that isn’t mine!” reads another.
“I’m able to see a random camera I do not have permission for,” reads a similar post in the Wyze forums. “Notification alert for a camera I don’t own,” a second one starts. Six users commented on other peoples’ Reddit posts to say they, too, were seeing the images pop up.
Wyze seems to be taking a more transparent tack today than it has with previous incidents, and so far says it’s only aware of a similar number of reports as the ones we’ve found.
“So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users…We will also send notification to all Wyze users explaining what happened,” Crosby tells us. He linked the issue to overload and corruption of user data after an AWS outage this morning and said that Wyze did not connect live feeds or send videos to the wrong users, just the alert thumbnails.
We’ve asked Amazon to confirm whether issues with AWS were responsible; AWS did not report an outage during the time Wyze cameras were having these problems.
“As soon as we saw these reports we took down the Events tab,” writes Crosby. “We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens,” he adds. You can read his email in its entirety at the bottom of this story.
After the initial outage eased around mid-day Friday, the thumbnail issues started, as the company reported at 1:07PM ET, “We are still investigating an issue with the Events Tab and will have another update shortly with further info,” without explaining the issue.
At 2:27PM ET, the company turned off the Events tab entirely: “We are temporarily disabling the Event tab in the Wyze app to investigate a possible security issue and will have it back up soon,” it wrote in a service advisory. At that point, the company had still made no mention of what the issue might be.
There’s a reason why we’re pointing out Wyze’s transparency, or lack thereof, at various points throughout the day. Two years ago, I told you how Wyze swept a security vulnerability under the rug for three years, never notifying its customers that their unpatchable v1 cameras could have theoretically let hackers access video feeds over the internet or that patches were required for later cameras to prevent the same thing.
And of course, this is the second time a Wyze error has let some strangers briefly peek inside other’s homes. To have that happen even once is a cardinal sin when it comes to security; twice and it may be difficult to regain trust.
Last September, The New York Times publicly stopped recommending Wyze cameras following our reporting on previous issues, noting that Wyze never reached out to its customers or “provided meaningful details about the incident” where some customers saw into other’s homes.
Dave Crosby, Wyze Chief Marketing Officer:
Update: After an AWS outage this morning, our servers got overloaded and it corrupted some user data. We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab. Fortunately, they were not able to view live streams or watch these videos, only the thumbnails were visible.
So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users. These affected users will be notified asap. We will also send notification to all Wyze users explaining what happened.
As soon as we saw these reports we took down the Events tab. We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens.
We will explain in more detail once we finish investigating exactly how this happened and further steps we will take to make sure it doesn’t happen again. Again, we are very sorry for the inconvenience today. Thanks to everyone who helped report incidents and helped get devices back online. Our deepest apologies to everyone affected.
Update February 16th, 8:11PM ET: Added response from Wyze co-founder Dave Crosby confirming and detailing the problem.