Ring doorbell flaw lets others watch after password changes (updated)

At one point, the camera was exposed for months.

You'd expect a smart doorbell to instantly boot out everyone the moment you change your password, but that isn't necessarily the case. The Information has learned that the app for Ring's video doorbell wasn't forcing users to sign-in after password changes, regardless of how much time had elapsed -- in one case, an ex-partner had been watching the camera for months. Ring said it started kicking people out in January, after receiving word of the incident, but that window of opportunity still lasted several hours in an Information test.

The issue, as you might guess, is that the window exists in the first place. Someone with a still-valid login could not only spy on whatever's happening, but download videos. The same incident that prompted the change also included phantom rings in the middle of the night.

The flaw provides something of a headache for Amazon, which only acquired Ring in February. If it's going to use Ring's doorbells as part of delivery solutions like Amazon Key, it needs to know that the devices are reasonably secure against exploits like this. This is also a reminder that smart home security needs to be particularly tight -- a loose policy can easily lead to privacy violations.

Update: Ring has issued a statement promising both additional improvements and reminding users to avoid sharing login details when possible. You can read it in full below.

"Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.

"We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring's "Shared Users" feature. This way, owners maintain control over who has access to their devices and can immediately remove users.

"Our team is taking additional steps to further improve the password change experience."