Wyze camera security issue showed 13,000 users other owners' homes

Users started seeing camera feeds that weren't theirs after an outage that Wyze blamed on AWS.


Some Wyze camera owners have reported that they were suddenly given access to cameras that weren't theirs and even got notifications for events inside other people's homes. Wyze cofounder David Crosby has confirmed the issue to The Verge, telling the publications that "some users were able to see thumbnails of cameras that were not their own in the Events tab." Users started seeing strangers' camera feeds in their accounts after an outage that Wyze said was caused by an Amazon Web Services problem.

Crosby wrote in a post on the Wyze forum that the company's servers got overloaded, which corrupted some user data, after the outage. The security issue that resulted from that event then allowed users to "see thumbnails of cameras that were not their own in the Events tab." Users couldn't view those videos and could only see their thumbnails, he clarified, and they were not able to view live streams from other people's cameras. Wyze was able to identify 14 incidents before taking down the Events tab altogether.

The company said it's going to notify all affected users and that it has forcibly logged out everyone who've recently used the Wyze app in order to reset tokens. "We will explain in more detail once we finish investigating exactly how this happened and further steps we will take to make sure it doesn’t happen again," Crosby added.

While the company doesn't have a detailed explanation for what happened yet, its swift confirmation of the incident is a huge departure from how it previously dealt with a security flaw. Back in 2022, cybersecurity firm Bitdefender revealed that in March 2019, it informed Wyze of a major security vulnerability in the Wyze Cam v1 model. The company didn't inform customers about the flaw, however, and didn't even issue a fix until three years later.

Update, February 20 2024, 9:08PM ET: In an email received by Engadget, Wyze admits to affected users that "about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed."

The company went on to explain that this glitch was caused by a mix-up of device ID and user ID mapping, due to a new third-party caching client library struggling to cope with the "unprecedented" data load from client devices rebooting all at once. Wyze promises to prevent this from happening again by adding "a new layer of verification" for connections, and that it'll look for more reliable client libraries to cope with such incidents.