There’s no excuse for a buffer overflow in a caching component to lead to a security hole like this. If the data were properly encrypted and could only be decrypted by the client on their own device, the result would have been users simply not seeing videos instead of being able to view others’.
It doesn’t even need to go that far. If some cache mixes up user ids and device ids, those user ids should go to request a video feed and the serving authority should be like “woah, YOU don’t have access to that device/user”. Even when you fucking mix these things up, there should be multiple places in the chain where this gets checked and denied. This is a systemic/architectural issue and not “one little oopsie in a library”. That oopsie simply exposed the problem.
I don’t care if I was affected or how widespread this is. This just shows Wyze can’t be trusted with anything remotely “private”. This is a massive security failing.
There’s no excuse for a buffer overflow in a caching component to lead to a security hole like this. If the data were properly encrypted and could only be decrypted by the client on their own device, the result would have been users simply not seeing videos instead of being able to view others’.
It doesn’t even need to go that far. If some cache mixes up user ids and device ids, those user ids should go to request a video feed and the serving authority should be like “woah, YOU don’t have access to that device/user”. Even when you fucking mix these things up, there should be multiple places in the chain where this gets checked and denied. This is a systemic/architectural issue and not “one little oopsie in a library”. That oopsie simply exposed the problem.
I don’t care if I was affected or how widespread this is. This just shows Wyze can’t be trusted with anything remotely “private”. This is a massive security failing.