Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood watch apps, like Nextdoor and Citizen, that lets users anonymously alert nearby residents to crime and public-safety issues.
While users’ posts are public, the app doesn’t display names or precise locations — though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes.
But the exposed data wasn’t visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user’s latitude and longitude and their home address, from Ring’s servers.
Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the number was hidden from view to the app user, the sequential post number made it easy to enumerate the location data from previous posts — even from users who aren’t geographically nearby.
The Neighbors app appeared to have about 4 million posts by the end of 2020.
Ring said it had fixed the issue.
“At Ring, we take customer privacy and security extremely seriously. We fixed this issue soon after we became aware of it. We have not identified any evidence of this information being accessed or used maliciously,” said Ring spokesperson Yassi Shahmiri.
Last year Gizmodo found a similar bug in the Neighbors app that revealed hidden location data, allowing them to map out thousands of Ring users across the United States.
Ring currently faces a class-action suit by dozens of people who say they were subjected to death threats and racial slurs after their Ring smart cameras were hacked. In response to the hacks, Ring put much of the blame on users for not using “best practices” like two-factor authentication, which makes it harder for hackers to access a user’s account with the user’s password.
After it emerged that hackers were reportedly creating tools to break into Ring accounts and over 1,500 user account passwords were found on the dark web, Ring made two-factor authentication mandatory for every user.
The smart tech maker has also faced increasing criticism from civil rights groups and lawmakers for its cozy relationship with hundreds of U.S. police departments that have partnered with Ring for access to homeowners’ doorbell camera footage.