Wyze Web View Service Advisory - 9/8/2023

9/22/23

In our ongoing commitment to security we wanted to share details of a mistake we made on Friday, September 8th that affected 10 people and was immediately resolved. We’ve completed an internal investigation and would like to share details of what took place and what we’re doing to prevent it from happening again. We take security extremely seriously at Wyze and work as hard as we can to give users peace of mind and earn your trust. Here’s how we fell short of that last week and what we’ve done to make sure we do better going forward.

On Friday September 8th, an engineer was fixing a bug on our online web viewing portal, view.wyze.com. In the process of deploying the fix, the wrong cloudfront caching setting was selected. Simply put, it crossed some wires in the backend and, for about 40 minutes, up to 2,300 users who logged in to the online web viewing portal may have seen cameras from one of the 10 affected users who had also logged in during that time.

When we discovered the incident, we immediately took down view.wyze.com to investigate and resolve the issue. View.wyze.com was back online a few hours later.

We want to make it absolutely clear that it did not affect the Wyze app or the 10M+ users who only access Wyze products through the Wyze app. The web portal view.wyze.com is a separate viewing experience behind a paywall.

Here’s what we’re doing to rectify the situation and prevent it from happening again. So far we’ve:

• Conducted a detailed investigation. Due to the low amount of traffic to this site we were able to analyze page traffic in detail and know exactly 10 users were affected.
• Provided as much detail as we could reliably confirm as it was unfolding in real time, including on Reddit, Facebook, Wyze Forum, core communities, our website and answering questions from the press.
• Notified the 10 users that their accounts were affected.
• Further limited account permissions, updated company policies, updated training for Wyze employees, and implemented other technical fixes including additional admin alerts so that this doesn’t happen again.
• Hiring an external security firm to do further penetration testing of Wyze systems and processes.

Security is a core focus for us here at Wyze. We have built a dedicated security team and continually invest millions of dollars into security to keep our customers safe. We made a mistake here and will take all the appropriate steps to make sure it doesn’t happen again. We especially apologize to the 10 affected users and any users who signed into the web portal during this time.

9/13/23 - We wanted to provide an update as we have continued to investigate the matter through the weekend. We have identified and notified the 10 users whose camera events may have been viewed by others who were logged into view.wyze.com during that brief period of time on Friday afternoon. We also adjusted the website so it no longer logs users out after 15 minutes of streaming and will stream as usual. We are continuing to investigate this issue and we have implemented multiple technological and policy measures in an effort to prevent this from occurring in the future. Again, this experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We apologize for this incident.

9/11/23

Hey all,

This was a web caching issue and is now resolved. We continue to investigate and believe no more than 10 users were affected, and all will be notified.

For about 30 minutes on Friday afternoon, a small number of users who used a web browser to log in to their camera on view.wyze.com may have seen cameras of one of the 10 users who also logged in through view.wyze.com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view.wyze.com during that time period.

Once we identified the issue, we shut down view.wyze.com for about an hour to investigate and fix the issue.

We have enacted numerous technical measures to prevent this from occurring in the future.
This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify and notify affected users.

We will let you know if there are any further updates.

9/8/23

Hey all,

This was a web caching issue and is now resolved. For about 30 minutes this afternoon, a small number of users who used a web browser to log in to their camera on view.wyze.com may have seen cameras of other users who also may have logged in through view.wyze.com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view.wyze.com during that time period.

Once we identified the issue we shut down view.wyze.com for about an hour to investigate and fix the issue.

This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify affected users.

We will let you know if there are any further updates.

Found another cool update in the last couple of months:

I don’t use Webview often, but I do use it sometimes. & yesterday I noticed something new that I am happy about.

In the past, the webview had a weird aspect ration that cut off the Timestamp from the bottom of the video in Webview (I can’t remember if this was only in full screen or always). I had to go grab and use a script through tampermonkey to force the webview to display the full camera view. I thought Wyze would never fix this.

Here I was just talking about it with someone else who said it was still doing this as recently as June 30th

I loaded webview up again last night without Tampermonkey running, and was surprised to see that Wyze no longer cuts off the timestamp in any view! Someone fixed the display from the cropped off videos to finally show the full thing! This changed apparently happened sometime in the last 2 months, so, at least they’ve done more than just patch the caching issue in the last 2 months. It seems like they are still working on getting us some improvements. It would be nice if we could rearrange the cameras’ liveview layout a little better. Then I’d use it a bit more. I know I can use a group, but I want to be able to watch like 9 of my cameras at a time, and they’re all in different groups, and not all at the top of the main page. It would be nice to rearrange that a little.

I will say that I can almost never use the webview on Chrome unless I delete the cache…it always gives me this error:

image760×177 8.2 KB

So I usually have 2 options: Delete the browser cache, or just load a different browser like Firefox. So I give up and use Firefox instead of having to delete my Chrome Cache every single time I want to use webview.

But it is cool that they fixed the cropping issue sometime in the last 2 months, so I see they are indeed still working on improving it. Kind of wish we’d get release notes about when improvements/changes are made to the webview like we get for the app and firmware.

2 posts were split to a new topic: Displaying cams on Google Nest Hub

Hey all,

This was a web caching issue and is now resolved. We continue to investigate and believe no more than 10 users were affected, and all will be notified.

For about 30 minutes on Friday afternoon, a small number of users who used a web browser to log in to their camera on view.wyze.com may have seen cameras of one of the 10 users who also logged in through view.wyze.com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view.wyze.com during that time period.

Once we identified the issue, we shut down view.wyze.com for about an hour to investigate and fix the issue.

We have enacted numerous technical measures to prevent this from occurring in the future.
This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify and notify affected users.

We will let you know if there are any further updates.

A post was merged into an existing topic: Fix-It Friday 9/1/2023

9/13/23 10:00 AM PT - We wanted to provide an update as we have continued to investigate the matter through the weekend. We have identified and notified the 10 users whose camera events may have been viewed by others who were logged into view.wyze.com during that brief period of time on Friday afternoon. We also adjusted the website so it no longer logs users out after 15 minutes of streaming and will stream as usual. We are continuing to investigate this issue and we have implemented multiple technological and policy measures in an effort to prevent this from occurring in the future. Again, this experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We apologize for this incident.

A post was split to a new topic: Wirecutter: Why We’re Pulling Our Recommendation of Wyze Security Cameras

So what were the measures you enacted so this cannot occur again?

It’s unacceptable that this happened to begin with, but it’s very irresponsible of you guys to not send out a notification on the app or email about this as soon as it happened so people could take proper precautions. It’s not enough to make a forum post about it because most people don’t spend their day browsing the forums IN CASE a breach or some other important news happened. I only got the full story on here a week later because someone else posted the link to a forum, not from you.

You guys aren’t shy about notifications when you’re trying to sell some overstock chinese product, but all of a sudden you’re shy when a major data breach happens? It doesn’t matter that it only affected 10 people (or so you claim).

Maybe it’s time to do away with Wyze web view. Security gaps in a feature few of your customers use are destroying your company’s reputation and surely affecting the bottom line. It appears that despite the last embarrassing fumble with Web view, Wyze still lacks the technical expertise needed to maintain a secure web portal. And the company also hasn’t improved PR and communications around security issues. It’s getting harder to stand by Wyze when reputable reviewers and experts are sounding alarms.

Has anyone from the Wyze Team indicated they will do a better job at notifications?

Also, two days ago, the NY Times Wirecutter web site came out with this rare notice - Why We’re Pulling Our Recommendation of Wyze Security Cameras. I am a big fan of this web site and cannot remember when they pulled a recommendation. Hey Wyze Team, how about spending a few dollars on beefing up notifications?

In our ongoing commitment to security we wanted to share details of a mistake we made on Friday, September 8th that affected 10 people and was immediately resolved. We’ve completed an internal investigation and would like to share details of what took place and what we’re doing to prevent it from happening again. We take security extremely seriously at Wyze and work as hard as we can to give users peace of mind and earn your trust. Here’s how we fell short of that last week and what we’ve done to make sure we do better going forward.

On Friday September 8th, an engineer was fixing a bug on our online web viewing portal, view.wyze.com. In the process of deploying the fix, the wrong cloudfront caching setting was selected. Simply put, it crossed some wires in the backend and, for about 40 minutes, up to 2,300 users who logged in to the online web viewing portal may have seen cameras from one of the 10 affected users who had also logged in during that time.

When we discovered the incident, we immediately took down view.wyze.com to investigate and resolve the issue. View.wyze.com was back online a few hours later.

We want to make it absolutely clear that it did not affect the Wyze app or the 10M+ users who only access Wyze products through the Wyze app. The web portal view.wyze.com is a separate viewing experience behind a paywall.

Here’s what we’re doing to rectify the situation and prevent it from happening again. So far we’ve:

• Conducted a detailed investigation. Due to the low amount of traffic to this site we were able to analyze page traffic in detail and know exactly 10 users were affected.
• Provided as much detail as we could reliably confirm as it was unfolding in real time, including on Reddit, Facebook, Wyze Forum, core communities, our website and answering questions from the press.
• Notified the 10 users that their accounts were affected.
• Further limited account permissions, updated company policies, updated training for Wyze employees, and implemented other technical fixes including additional admin alerts so that this doesn’t happen again.
• Hiring an external security firm to do further penetration testing of Wyze systems and processes.

Security is a core focus for us here at Wyze. We have built a dedicated security team and continually invest millions of dollars into security to keep our customers safe. We made a mistake here and will take all the appropriate steps to make sure it doesn’t happen again. We especially apologize to the 10 affected users and any users who signed into the web portal during this time.

This is a perfect response IMO. Obviously, the issue is regrettable and in no way can be considered “perfect” but this explanation and what Wyze is going to do about it covers exactly everything I could’ve reasonably hoped to hear including hiring an external security team to check things out. This is reassuring that an unbiased 3rd party will also be evaluating things.

I’m certainly willing to give some reasonable leeway here that analyzing all the page traffic in detail for 2,300 users logged in during that time could take a staggering amount of time, as well as all the other things investigated, and then interviewing and negotiating to decide which 3rd party security team to hire, etc. So with all that information, 2 weeks to finalize the investigation and devise an action-plan actually seems within reasonable parameters to me. Wyze did at least continually tell us their investigation was still ongoing and more was to come. Though hopefully Wyze learned for future consideration that it might have been better to inform people by email or something as well when it first happened so they would find out from Wyze directly instead of from news articles (for example, some of my family weren’t upset about what happened, since they work in tech fields and know mistakes or events do happen, but more hurt that they didn’t find out from Wyze directly).

Thank you, Wyze. I support this as a reasonable response to a bad situation. It sounds like everyone learned something and you will be all the better for it now, especially having unbiased 3rd parties checking things out now too. I love that.

Thank you for the super detailed explanation.

It’s great to hear that Wyze will be doing penetration testing!

I think the main thing that Wyze could have improved on is notifying users outside of core communities earlier. Many users found out about this from the media which is biased and exaggerated, which makes Wyze look bad.

I think a banner on the website/app or an email to all users notifying them would be ideal.

Aside from that I think this was handled very well.

Sorry Gwendolyn, that’s not good enough. You still don’t explain why a push notification was not IMMEDIATELY sent when you found out about this. No push notification has been sent to this date on this subject yet! It’s only those of us who dug around and found this user forum post and you know that only a fraction of the customers actually visit here. This is not the sign of a company who wants to be open or who takes security seriously.

This time, it was 10 people, but the next data breach or bug you have may affect many more and it doesn’t instill confidence when you try to to hide it or wait and see how bad it’s going to be before giving a public statement. I’ve lived with your buggy app and website for a few years now and as annoying as the bugs and lack of features are, they pale in comparison to a security threat like this one was.

For the record, I am neither a fanboy nor a hater of this product. We should hold companies accountable when they play loose with our personal data.

Should Wyze decide to immediately push notifications to all users upon discovering any potential threat, disclosure or breach…

I suggest they rate the threat (1⇢5) (minor⇢major) (yellow⇢orange⇢red) (whatever)

so that…

Those who prefer high vigilance
and those who run cool-to-chill
may be ‘equally’ served.

The Daily Show 2015

Immediate notification to all upon discovery exposes the issue to the world before containment/mitigation. Wyze follows industry standard best practices:

• Identification/analysis
• Containment/mitigation
• Assessment
• Notification
• Support/assistance
• Evaluation/improvement

If WYZE was following industry standards, the NY Times Wirecutter wouldn’t have took them off their recommend list. They likely wouldn’t have made any public comment, or at least to this extent had it not been for the Wirecutter article. Technically, even now some weeks later, they STILL have not sent out an email or push notification and are instead hiding their response in a forum that few users actually check so many subscribers likely have no idea this ever happened.

You’re a moderator on here so obviously you’re biased towards the company and you might even take this post down because you don’t like what I’m saying. I’m just a customer who spends money on the cameras and a subscription so my biased is towards not wanting my personal data or camera exposed to the world. In my view, they were careless to begin with. Fine, things happen, but no matter how you try to sugarcoat it, They waited too long to let their customers know. I only found out about it after reading about it on 3rd party news sites. You can’t deny this. At some point they should have sent out a push notification.

I really don’t understand people defending bad behavior by large corporations. It’d be nice if someone stood up for the little guy for a change. Again, this news was already out so the “bad actors” would have found out about it in the news first so the company notifying their customers wouldn’t have hurt the end user and would have instead helped them.

I guess that rag the NY Times should take Apple off the good guys list also. I got no push notifications from Apple about any security issues, my security software told me to update the iOS after the fact and the fix was already implemented by Apple.

Screenshot (375)1520×603 61.5 KB