A recently revealed flaw in Ring’s app didn’t require users to sign in again after a password change was made, allowing users who signed in with an expired password to remain logged in indefinitely, giving them full video viewing and video downloading privileges.
Ring’s login flaw was made public in a recent report from The Information. The article relays an anecdote about a Ring user realizing his ex-boyfriend retained continuing access to his video doorbell feed, even though the password had been changed.
Ring, which was acquired by Amazon earlier this year, claims it began to force users out — to make them log back in — after learning of the incident in January, but a test by The Information still found a window of a few hours in which an expired password user still had video access.
Ring made a statement about the incident, as shared by Engadget:
“Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.
“We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users.
“Our team is taking additional steps to further improve the password change experience.”
While Ring suggests everyone in your family — and other trusted users — should be added as a “shared user,” the story which revealed the flaw seems like a somewhat common scenario. How many other users retained video access to Ring’s video doorbells after a password change? We’ll never know.
It’s common practice for any secure sign-in to force users to log back in after a password change, so it’s a bit disconcerting that Ring wasn’t doing this. Ring’s “additional steps” should certainly include a quicker forced log out for any users with an expired password.