Live, seeing another person’s feed

philipmaddocktemp · September 11, 2023, 2:03am

I haven’t had much success getting though to someone, I think I have been receiving automated responses or messages from someone who can’t help. My worry is legal concerns now, so I’m reaching out on this forum to see if I can make contact with a Wyze employee who can meet my concerns.

*At around 1.50 p.m. on September 8th 2023 (today), I refreshed my Wyze live feed, which showed me someone else’s camera feed. These cameras appeared to be inside someone’s home in the UK.

I live in Vancouver, Canada.

I have three Wyze cameras at my address, and I monitor them using: https://view.wyze.com/live

When I refreshed my browser today, I started seeing a live stream of someone else’s house.

I have made three screen-recorded videos of this. Importantly, you must view them with audio because I am describing the issue on my microphone during the recordings. There is a lot of detail in these videos, so it’s important to watch and listen to them. I cannot upload them here because the files are too large, please advise me on how I can share these with you.

I also took screenshots, I am able to attach a file of that size so I have done so. Again, the person in this image is not me, and these cameras are not at my address.

This is extremely concerning. I have a home office from which I run a business. I use Wyze cameras as a security measure around my home and business.

There is a major security issue here to be addressed. Please respond to me as soon as possible, because I need a full explanation about this.

There are some potential legal issues here, and I may need to consult my lawyer before communicating with you further. However, I would appreciate a prompt response from you on this matter regardless.

The form below does not accurately reflect the issue, but these fields are required and I filled it out the best that I could.

I’m so sorry to hear that you are concerned that your account may be compromised. I understand how frustrating this can be but rest assured, we are here for you.

Here at Wyze, we take our customers’ data safety very seriously. We utilize a variety of methods including symmetric and asymmetric encryption, consistent hashing, and other ways to make sure users’ information cannot be stolen. If you ever feel your account may be compromised, we recommend changing your Wyze account password. A strong password will consist of a combination of lowercase and uppercase letters, numbers, and special characters.

Next, we recommend adding Two-Factor Authentication to your account if you have not already done so. Two-Factor Authentication requires a special code to be used before being allowed access to the account. This code changes every few moments and the most recent code must be used. Only you have access to that code. You can learn more about Two-Factor Authentication here.

If you have already done that, we’d like to look into this further for you. In order to do that, please provide the following:

What time(s) did the suspected access occur?
What is the email address associated with your Wyze account?
What type of device was it (Wyze Cam v3, Wyze Video Doorbell Pro, etc.)?
What is the MAC address for the above device? This can be found on the device info label or on the Device Info page of the Wyze app.
Are there any shared users or integrations being used for that device?

Please note that this process requires assistance from multiple teams which may cause a delayed response. We apologize for any wait while we work to resolve this for you.

In the meantime, please let us know if you have any further questions or concerns and we’d be happy to assist you further.

Thank you for being a part of Wyze!

Good morning,

The information asked for here does not seem relevant to the issue. I suspect this is an automated response. Could a member of your team contact me? My phone number is REMOVED

Hope (Wyze)

Sep 10, 2023, 1:20 PM PDT

Thank you for getting back to us, Philip.

I’m afraid to say that we’re unable to do callbacks. All security concerns will be answered through email for documentation purposes.

We’d like to look into this further for you. In order to do that, please provide the following:

What time(s) did the suspected access occur?
What is the email address associated with your Wyze account?
What type of device was it (Wyze Cam v3, Wyze Video Doorbell Pro, etc.)?
What is the MAC address for the above device? This can be found on the device info label or on the Device Info page of the Wyze app.
Are there any shared users or integrations being used for that device?

Please note that this process requires assistance from multiple teams which may cause a delayed response. We apologize for any wait while we work to resolve this for you.

In the meantime, please let us know if you have any further questions or concerns and we’d be happy to assist you further.

Regards

Hello,

I suspect that I am not talking to a person at the moment. This feels like a response from an email template or bot. If I’m wrong, my apologies. This is coming from a place of concern.

I have screen recorded videos of what happened, I have already made you aware of this, and frankly the recordings are quite disturbing. Without intent, I was given access to another person’s camera.

There is someone, whom without judgment, I would suspect would appreciate their privacy.

I think it would be of value if a person read this message and contacted me directly. I’d like to talk about the next steps rather than follow troubleshooting tasks. This does deserve some eyes on it.

This is very important and it should be treated as such. Wyze, as an office, will certainly have the ability to dial out to a Canadian phone number. Again, my number is REMOVED.
I am available most afternoons between 1pm and 5pm

Kind regards*

SlabSlayer · September 11, 2023, 2:08am

Welcome to the Wyze User Community Forum @philipmaddocktemp!

The issue you experienced was immediately reported to Wyze by other users and action was taken at that time to shut down the Wyze Live Web View while the issue was fixed.

Please refer to the topic below for further information:

philipmaddocktemp · September 11, 2023, 2:23am

Hello,

Again, I was able to view another person’s feed without meaning to. I screen recorded and voiced-over the whole thing, explaining the issue and how it happened. I have made you
aware of this a few times and you have not requested to see it. I find this worrying.

You need to take this more seriously.

I was going to put a Wyze camera in my 6 month old babies nursery. I will not do that now. This is popular among parents.

During this error window, there were live streams of private individuals being shared from inside their homes to strangers. During the incident that I witnessed, I viewed an sleeping adult who kept ferrets, but others must have seen children. If a stranger was viewing my child though a camera in my home, I’d be more
livid than I currently am.

I would appreciate a phone call. Please refer to my emails or account details for my number. I am not going to let this issue alone until I’m satisfied.

Seapup · September 11, 2023, 2:34am

Welcome to the forum philipmaddocktemp. Just FYI… Wyze employees do not actively monitor this forum. This forum is primarily a user-to-user community and not a substitute for Wyze Customer Support. Forum Moderators and Forum Mavens are not Wyze employees. We are fellow Wyze users who volunteer our time to answer questions and help keep this forum running smoothly. Wyze employees are identified via “Wyze Team” or “Wyze Employee” following their forum user name.

carverofchoice · September 11, 2023, 2:54am

You mentioned you really want to talk to an employee on the phone and that you are in Canada.

I believe the Phone number to Wyze support for Canada is (581) 500-1166
Phone support is available 6:00 am - 6:00 pm PT Monday through Friday, and 8 am - 4pm PT Saturday and Sunday.

Wyze is taking this seriously. As you can see in the link posted above, Wyze made an announcement about this issue. The issue happened for roughly 30 minutes on 9/8/23 before Wyze took the Webview offline and fixed it. As stated in the above link, this was caused by a “caching error” for a select group of people who were using the Webview during that 30 minute window. As I understand it, it did not give control over other people’s live-view or settings, but it did allow users to see some other accounts’ browser “Cache” of the webview, including thumbnail images of the cameras, etc. One of the cofounders is quoted as explaining that they believe this affected 10 user accounts before it was caught and taken offline and fixed. Once the issue was fixed, they posted a public announcement about what happened, the cause, that they fixed it, and then they brought everything back online as soon as it was confirmed secure again.

I am not a Wyze employee and I don’t speak for or represent Wyze. I am wondering what more videos and screenshots will do for them though since they already know about and already fixed the issue the same day it occurred. If you still want to ensure they have a copy of the issue from before they fixed it, then I would recommend attaching it as an email reply to the email support ticket you already started. If you really want someone to speak to over the phone, you may call the above number for Canada during business hours and you will talk to a Wyze Employee.

The above link has Wyze’s official response to this issue you experienced, but here it is quoted in full, for your convenience:

Wyze Web View Service Advisory - 9/8/2023

Hey all,

This was a web caching issue and is now resolved. For about 30 minutes this afternoon, a small number of users who used a web browser to log in to their camera on view.wyze.com may have seen cameras of other users who also may have logged in through view.wyze.com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view.wyze.com during that time period.

Once we identified the issue we shut down view.wyze.com for about an hour to investigate and fix the issue.

This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify affected users.

We will let you know if there are any further updates.

Again, if there are further security concerns, it’s often best to use the email security@wyze.com since that’s where they conduct all security investigations and to make sure there is always a full log of every detail. You can email the recordings there, directly to the security team. But Wyze does offer the ability to talk to someone on the phone at the number I posted. I expect they are likely to repeat the official response, about it being caused by a caching issue and that it is now fixed, and/or refer you to the security team by email for further security concerns, but it is always an option to talk on the phone if that is important.

Hopefully that helps to clarify.

philipmaddocktemp · September 11, 2023, 4:08am

Hello,

I was watching this other person’s house live. I explain it in my videos. The time stamp their video was ticking up in real-time. I was definitely watching them live, not a cache of an earlier recording or something like that. I was able to watch the live feed, and listen to them. Out of respect for their privacy I decided to turn the sound off.

Would it be helpful to see the recordings I made? I logged in though my Google account, would it be of more value to share them with google? Could the issue be there potentially?

Someone should also reach out to the person I saw in their living room and let them know about it. I’d want to know if someone was watching me though my camera.

Seapup · September 11, 2023, 4:24am

It won’t be helpful to us. Again, we are simply Wyze cam users on a user-to-user forum. It may be helpful to Wyze, although they reported that they have identified and already corrected the issue. If you’d like to share your video with Wyze, email Wyze or speak to a Wyze representative, the means to do so are in the posts above.

st.yoshimi1 · September 11, 2023, 7:09am

This is the frustrating part about Wyze, The communication is poor and so is the support. Much of the good information comes from the users. Wise doesn’t seem to understand it was not just the 30 minutes. Everyone should be concerned who knows if their camera is being seeing at someone else’s house.

carverofchoice · September 11, 2023, 6:22pm

I don’t work for Wyze, but I am curious which smart home companies you believe are more transparent with more communication when they do have similar issues. Do you have any examples?

ldogg1981 · September 11, 2023, 7:27pm

This is seriously concerning! Wyze has compromised people’s personal privacy. I don’t care what people say about putting a camera in their house. It is their house and Wyze should never have let this happen! I hope whoever had their camera compromised sues the crap out of Wyze for invading their privacy in such a disgusting manner!
And Wyze wants me to pay a monthly fee for the privilege of being spied on?

Known1 · September 14, 2023, 3:10pm

Just sharing my personal opinion. The fact that WYZE has admitted that their architecture allows such a thing to be possible is frightening. Until there is a change with the architecture, I suspect this will be reported yet again. WYZE resolves issues at a snails pace, but introduces them (mostly via new products) at a lions pace. This issue is at the core of their architecture. Therefore, this is nothing I count on being permanently resolved for years.

My indoor cameras are all on smart plugs for more than one reason.

Moral of the story: Be wise about where and how you use WYZE cameras.

IEatBeans · September 14, 2023, 4:18pm

This issue is actually possible because of the very way the internet works. This exact same issue has happened to other companies in the past, allowing users to view account details as if they were logged in as someone else.

I agree with you that sometimes Wyze can be pretty slow at fixing bugs, but I think in this case they handled the security issue very well.

Unfortunately there’s not really any way to change their “architecture” to prevent this from ever happening, though there should have been some kind of review process before the change that caused this issue was published. I’m guessing the specific switch that enabled this caching behavior was not as restricted because it was probably present in a third party caching service such as cloudflare.

I am not saying this is ok, it’s definitely not, but I’m just letting you know that this specific issue is very easy to accidentally happen. I’m hoping Wyze educated their employees about this now and possibly restricted that toggle if possible.

Known1 · September 14, 2023, 4:40pm

LOL! Nothing to see here, it’s the internet’s fault. Say what you will and believe what you wish. As will I.

st.yoshimi1 · September 14, 2023, 11:29pm

Hi Carver, Just wanted to respond so you know I’m not ghosting the question. I realize Wyze is basically using it’s customers for it’s testing thus the low cost. But I find transparency means they let valued consumers know immediately when there has been any breach and how to check for it, like companies do for a data breach coming from the outside (though it’s being hacked is almost a norm as often as it occurs). The frustration is from all the users comments and Wyze not immediately vetting there is a problem and/or solution (like techs talking to users on initial issues) instead of letting it morph, and having to go through all the comments to find the one that works, which is not always the last. But I will also say some of the users are exceptionally good at resolving issues quickly for the rest of us, maybe they should be in a Wyze Super User group to test it’s HW and apps before marketing. As for comparing similar companies, you can’t, the other companies don’t have quite as many issues, It was kinda fun at first to fiddle with the camera apps. I’ve may have passed the point of being surprised it’s not working or trying to find out the problem, let alone fix it when I didn’t touch anything. Might be time for me to buy a brand name.

carverofchoice · September 15, 2023, 3:55am

Thanks for the follow-up.

I do think Wyze could improve their communication and transparency to be more in line with how well they did in the early years when they were smaller.

I don’t necessarily blame them in this case for reserving a full public answer until after their investigation was complete though. They have now said that they have individually contacted every user that was actually affected, which is more than I can say for some bigger companies I know that had various kinds of breaches or security events. I think their reaction time and such have seemed reasonable and an improvement from the previous issue.

I think they have struggled with some bugs a bit more this year than in the past. I believe this has to do with their security upgrades, their server migration changes, as well as their new pre-cloud-detection algorithms. I think a lot of those major changes made it a rough firmware year for them, though I expect such things should mostly stabilize. It was a little more chaotic earlier in the year, but the bugs from the major revamp seem to have mostly settled down in recent times (compared to Winter/spring time). This mistake will set them back in the public eye a little bit. I expect a small ripple and a small percentage will hold on to it or rehash it occasionally, but for the most part I expect that it won’t make a huge impact all by itself and will blow over with the vast majority of people within a few months, at least if history and other examples from other companies are anything to go by.