Privacy

31876 readers

1 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

200

Wyze says camera breach let 13,000 customers briefly see into other people’s homes (www.theverge.com)

submitted 2 years ago by testeronious@lemmy.world to c/privacy@lemmy.ml

14 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] SpaceNoodle@lemmy.world 51 points 2 years ago* (last edited 2 years ago) (2 children)

There's no excuse for a buffer overflow in a caching component to lead to a security hole like this. If the data were properly encrypted and could only be decrypted by the client on their own device, the result would have been users simply not seeing videos instead of being able to view others'.

[–] Ottomateeverything@lemmy.world 23 points 2 years ago

It doesn't even need to go that far. If some cache mixes up user ids and device ids, those user ids should go to request a video feed and the serving authority should be like "woah, YOU don't have access to that device/user". Even when you fucking mix these things up, there should be multiple places in the chain where this gets checked and denied. This is a systemic/architectural issue and not "one little oopsie in a library". That oopsie simply exposed the problem.

I don't care if I was affected or how widespread this is. This just shows Wyze can't be trusted with anything remotely "private". This is a massive security failing.

[–] admiralteal@kbin.social 10 points 2 years ago (1 children)

If the data were properly encrypted and could only be decrypted by the client on their own device

Yeah, but part of Wyze's sales pitch is their AI image recognition features, and they'd lose all training data by doing that and would force it to be processed locally, both of which would be a dead end.

I realize these might not be features you want nor care about... but those are the features they want to offer.

[–] SpaceNoodle@lemmy.world 2 points 2 years ago

Even just encrypting it before transmission would have prevented this, and still allowed them to harvest data.