Amazon's Ring Neighbors App Exposed Users' Precise Locations and Home Addresses

A security flaw in Ring's Neighbors app was exposing the precise locations and home addresses of users who had posted to the app. From a report: Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood watch apps, like Nextdoor and Citizen, that lets users anonymously alert nearby residents to crime and public-safety issues. While users' posts are public, the app doesn't display names or precise locations -- though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes. But the exposed data wasn't visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user's latitude and longitude and their home address, from Ring's servers. Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the number was hidden from view to the app user, the sequential post number made it easy to enumerate the location data from previous posts -- even from users who aren't geographically nearby.

What a toxic thing

[Arthur, KBE]

The Stasi would have blown a load for this device. Neighbors tattling on neighbors, and they PAY for this "privilege".

Re: And this is a prob?

[BAReFO0t]

Completely missing the point.
Deliberately so.

Go back to your owners, drone.

Re:

[ToasterMonkey]

The Stasi would have blown a load for this device. Neighbors tattling on neighbors, and they PAY for this "privilege".

Pay? In that form of government, the people are already paying for the security apparatus that enables the Stasi to exist, cameras will be provided free of charge comrade.

Plus, they would have gone dry when cordless phones exploded in the 90's, or cheap internet based security cams were available twenty years ago. They wouldn't have anything left by the time cellphones were widely available, much less smartphones... or drones, for crying out loud.

The problem with the Stasi is always the Stasi, not every n

Bug?

[Murdoch5]

This wasn't a bug, this was an intentional design which someone noticed and made a complaint about. A company of Amazon's size wouldn't make that big blunder, they intended to leak the information because they wouldn't collect it otherwise.

Re:

[Arthur, KBE]

No it's not. Your name and address are a matter of public record.

Re:

[Murdoch5]

That's true, but they have very little reason for needing it.

Re:

[Mattcelt]

Your name and address are a matter of public record.

Not as it applies to companies' use, especially in California. Name and address are regarded as protected information, and companies can get it big trouble for disclosing it.

The California Consumer Privacy Act (CCPA) in particular provides fines of $750 per record for unauthorised disclosure, and name and address are part of the list of protected attributes.

Re:

[Sleeping Kirby]

@Mattcelt Hi, this post has nothing to do with this story. I just don't know how else to get in touch with you. It's regarding this:
https://slashdot.org/comments.... [slashdot.org]
I have something. Consider it an alpha build and I wanted to get your feedback/opinion/etc, if you don't mind. You can reach me at gmail (same username, no spaces).

Thank you.

Neigborhood watch?

[BAReFO0t]

Is that what we call instrumenting the population for totalitarian surveillance nowadays?

Why not go all the way?
"Glorious children-protecting anti-terrorist anti-Russian-hacker safety for you and the Oceania motherland". Gcpatarhsfyatom!

Confusing summary

[Malays2 bowman]

"But the exposed data wasn't visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user's latitude and longitude and their home address,"

So was this data being sent to the camera's owner app, or everyone viewing their posts through their app, and those users were slurping this data through 3rd party tools?

"Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the numbe

A neighbors app that show you:

[Fly Swatter]

Your neighbors, and you are surprised? All Social Media should be required to be like this, can't end any more badly than what we have now.

Dumb & Dumber

[grumpy-cowboy]

If you're dumb enough to use "Cloud connected cam, doorbells, locks, ..." in your house, you deserve this. It's that simple.

A tech-savvy man...

[LenKagetsu]

Has a dumb TV.
Has a dumb car.
Has a dumb fridge.
Has a dumb cooker.
Has a dumb doorbell.
Has a router that he bought.
Has a computer he personally build.
Has a firewall and a mile-long hosts list.
Has a browser with maximum security settings.
Has never uttered the word "Alexa" in his house.
Has never uttered the phrase "OK Google" in his house.
Has never uttered the phrase "I have nothing to hide."
Has never entered his phone number into a website.
Has never used his real name on the internet at all.
Has never used Facebook, MySpace, or Twitter.
Has never used the same alias twice.
Has never alluded to his location.
Has never shown his face.
Has never faltered.

Re

[Venguer]

What can we do with all these illegal things happening in the 21st century? Companies sell our private information we have to share with them in case we want to use their service. I have no idea what can I do to stop those annoying calls that say me to pay for something I do not have or buy drugs or whatever. What is the source of the information they have about us? I do not like this situation. Honestly, I have recently replaced my home security system with the Ajax one https://ajax.systems/ [ajax.systems] because mine w