Amazon-owned Ring quietly fixed a “high-severity” security vulnerability in May that could have allowed malicious actors to access camera recordings from Ring video doorbells and extract users’ personal data.
Researchers at Atlanta-based application security company Checkmarx discovered the flaw when analyzing Ring’s app for Android. This app allows users to monitor footage recorded on video doorbells and security cameras, and has been downloaded more than 10 million times.
The researchers found that the app had several bugs, which when chained together could have allowed attackers to exploit the vulnerability by creating and publishing a malicious app — or pushing an update to an existing app — running on the same device. If a would-be victim is tricked into installing a malicious app, it would allow the attackers to obtain authentication cookies, which are small files that keeps a user persistently logged in without having to constantly re-enter their passwords.
With these cookies, an attacker could access a user’s account without their password, allowing the malicious app to steal a Ring user’s full name, email address, and phone number, and Ring device data, such as camera recordings and geolocation data.
Checkmarx said that successful attackers could extract more information from Ring camera recordings themselves, like information in documents or on computer screens visible to a Ring camera, or to track people’s movements in and out of rooms or buildings.
Ring fixed the issue on May 27 in version 3.51.0 of the Ring Android app, and told Checkmarx that no customer data was exposed. When reached, Ring spokesperson Claudia Fellerman confirmed to TechCrunch that Ring fixed the vulnerability.
Ring was acquired by Amazon for about $1 billion in 2018. The video doorbell maker has since expanded its law enforcement partnerships to more than 2,200 police departments across the U.S., allowing police to request video doorbell camera footage from homeowners. Ring gave a record amount of user data and customer video recordings to authorities last year, and shared customers’ footage with police 11 times without the account owner’s consent in 2022 so far.
Earlier this year TechCrunch revealed a security flaw in Ring’s Neighbors app was exposing the precise locations and home addresses of users who had posted to the app.