• Ottomateeverything@lemmy.world
    link
    fedilink
    arrow-up
    24
    ·
    10 months ago

    It doesn’t even need to go that far. If some cache mixes up user ids and device ids, those user ids should go to request a video feed and the serving authority should be like “woah, YOU don’t have access to that device/user”. Even when you fucking mix these things up, there should be multiple places in the chain where this gets checked and denied. This is a systemic/architectural issue and not “one little oopsie in a library”. That oopsie simply exposed the problem.

    I don’t care if I was affected or how widespread this is. This just shows Wyze can’t be trusted with anything remotely “private”. This is a massive security failing.