Amazon purchased Ring for $1 billion in February. According to reporting by The Information, a security flaw in the software allowed people who were logged into the doorbell app to stay logged in even after the password had been changed.
In its article, The Information cites Miami resident Jesus Echezarreta, who didn’t know he was being spied on by his ex-boyfriend via Ring. His ex told Echezarreta he needed to walk his dog more; when asked how he would know that, he confessed to watching Echezarreta with the app.
Although Ring doesn’t currently lock and unlock doors, it can be used to connect with other security firms like ADT. In addition, Amazon has said it may integrate Ring with its Amazon Key service, which allows delivery people to gain access to Amazon customers’ homes.
Ring, which has pitched itself as a home security company, told The Information the app was updated in January to kick people off when a password is changed—and require a new login.
However, the company’s CEO Jamie Siminoff said Ring doesn’t kick users off immediately because that would slow the app down.
Although Siminoff said they are lowering the time it takes for people to be kicked off to one hour, The Information’s reporter was able to access his app several hours after changing the password.
A security expert told The Information that when a password changes, every device logged in should be automatically logged off.
“It’s certainly not a security best practice to implement the authentication the way they have,” Jay Kaplan, CEO of security firm Synack, said.
Unfortunately, Echezarreta’s experience showed how easily these apps can be manipulated. When he complained to Ring, reports The Information, the company’s internal logs showed that someone had downloaded video from his doorbell several times since August, when Echezarreta broke up with his boyfriend.
The app also discovered that someone was ringing Echezarreta’s doorbell remotely during late night hours. The man’s ex eventually apologized and Ring also sent him a new doorbell.
In a statement to Fox News, a Ring spokesperson said: “Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.”
“We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users. Our team is taking additional steps to further improve the password change experience.”