Hi,
I created a 2nd Wyze account to see how sharing worked so I could better explain it to my non-techie family members via email with screen shots etc.
When I was done with my testing, I stopped sharing the camera with the 2nd account - while the 2nd account was viewing the camera.
I fully expected the 2nd account to have it’s access immediately revoked - but that is not the case!
It seems even after canceling a share, as long the person who is viewing the now non-shared camera doesn’t navigate away from it - they can continue to view the camera till…?
This seems to me to be a huge security hole - if I share a camera with someone and then cancel the share, I’d expect their access to be immediately stopped.
Welcome to the Wyze User Community Forum @StayFrosty!
When the shared user opens a stream to the cam, after being credentialed by the server, a dedicated Peer to Peer connection is established directly between the cam and the user outside of the Wyze Server.
When you change the share settings in the app, these are saved on the server. Those changes will not be affected until the next time the user attempts to establish another stream and connects with the server. So long as the shared user has a valid P2P connection to the cam, opened prior to the change in server settings, it will continue to stream until the connection is terminated or lost.
Unfortunately, I can’t test the power cycle idea since the camera is at my parents house and I won’t be there till later in the week.
I will definitely give this a try though.
Thanks for the idea!
I tested this issue earlier and noticed the same thing, so my query to you is (yes, I’m an engineer): assuming you use a key or token that allows clients to connect to a camera, when is that token reset, is it:
Never (I presume this is the case and assume that the way your device authentication works is you generate a key/token at production time, flash it to the device and store it in a database and then use this to allow devices to be authourised)
After some period of time (and if so, what time length?)
If a device is factory restored and set up again
Now if the answer is 1, then it seems to me you have more than a bit of a problem because I could buy a device, set it up and get the token, then erase the configuration and either sell it or gift it to someone, and that device is now irrevocably compromised, and worst of all the user actually has no way to know?
Create a Device Log from the Owner of the Cameras Streaming Device
Create a Device Log from the Shared account Streaming Device
Post both of those here.
Also,
Can you provide a screen shot of the Sharing Menu choice located under Account, and the devices shared to the account in question by clicking on the shared account.
Can you also provide:
iPhone App Version version
Camera Model
Camera Firmware version
thanks
@StayFrosty As soon as I get the logs, I can forward them on for you
Create a Device Log from the Owner of the Cameras Streaming Device
I’m trying to figure out do create the device logs from the App - but coming up empty.
Under “settings” → “wyze support” I found “Submit a Log” but that seems to assume I have a log to submit - and I need to create one somehow…
I did a search on the forum - and the closest info I could find for creating logs is:
I’m guessing you want what is termed in this old post as an “app log” but it sounds like the App generates and submits it automatically - so I can’t download it and attach it here like you request.
If you can give me the instructions on how to generate the logs - I can do so on both of my devices (phones)
Are you requesting the log that gets dumped on the SD card (according to this post from 2018)?
Go to Account, Wyze Support, Submit Log. Scroll to the bottom and go to Account and Services, then select Sharing. Enter the info and submit the log
Go to the device you removed and Live Stream it, select the Gear at the Top Right, scroll to the bottom and select Wyze Support, Select Submit Log, Select other, then Submit the log.
Please enter the logs here identified with which one is which.
Then do the same for the account you shared it with. and post the result here.
Note: I tested the removal of a share while it was being streamed. The Camera did continue to stream even when the camera share was removed. once I stopped streaming the page refreshed and the camera was gone. So I could not stream again.
I don’t seem to have the “Account and Services” under “Submit Log”
Attached is a screen shot of what I do have.
(iPhone - latest version of the Wyze App)
When submitting a log - I assume it’s being sent directly to Wyze - so I’m not sure what I am supposed do with this step:
“Please enter the logs here identified with which one is which.”
When you submit a log - are you given some sort of Identifier I can reply with?
If you’re saying you navigated away from the camera that was previously shared - and now you can’t see it again - that is exactly what I described in my opening post
As long as the other user doesn’t leave the camera view - they can view the now non-shared camera seemingly forever.
I just need guidance on how to submit the account log and I’ll then submit all of the logs as requested.
I just realized that this step will break the stream - since I have to navigate away from the camera view for the “account and services” log (which is missing from my App) and then I obviously can’t submit a log from the current stream - since the camera view is no longer accessible.
The problem was and still is, the issue when the other user doesn’t navigate away from the stream.
Yes. The app uploads the log it creates to an area that Wyze can reference the information, and then the user (you) are presented with a log number that you can post that number here in a reply to @spamoni. That number once provided to the engineers or developers will allow then to reference and access the log you provided.
Log numbers are different than support ticket numbers you get after an interaction with Support.
Has this issue been resolved yet? I have stopped sharing devices with people and want to make sure they cannot have access to the camera views. This is very concerning!!
“It seems even after canceling a share, as long the person who is viewing the now non-shared camera doesn’t navigate away from it - they can continue to view the camera till…?”
Is “navigating away from” different from “refreshing?” What I mean is, could you bookmark a page and then revisit the page anytime you want? I’ve bought most of my cameras from Wyze’s ebay account which are refurbished. I know that would be a lot of work but would it be possible to “share” and then bookmark all of those addresses to later access? Or would it eventually time out or lose connection if refreshed or restarted?
