January 4, 2020

Wyze Confirms Server Leak

Catalin Cimpanu on zdnet.com:

Song said the exposed database — an Elasticsearch system — was not a production system; however, the server was storing valid user data.

Elasticsearch is a really powerful tool, but it loves data. The more the merrier. If you designed a safe(ish) production environment and change management process for it — then things should be ok. But dev environments usually have more relaxed rules - which is ok, they also have less less data to work with - which is a pain to test, which usually leads to lets just copy prod data for a test” - which becomes the weakest link in your security chain without you realizing it.

Song confirmed that the leaky server exposed details such as the email addresses customers used to create Wyze accounts, nicknames users assigned to their Wyze security cameras, WiFi network SSID identifiers, and, for 24,000 users, Alexa tokens to connect Wyze devices to Alexa devices.

As a big Wyze user: dammit.


snippets


Previous post
Tidbits for 2019 Week 50 Endless Paper endlesspaper.app Photo Editor : Pixlr Editor - 2020 version pixlr.com I’d buy this Apple TV Remote in second if available
Next post
Foundryside (Founders, #1) by Robert Jackson Bennett Foundryside (Founders, #1) ★★★★★ Enjoyed this book from the first page. The world it creates incorporates magic incantations with coding, and the