Ring Flaw Allowed Users To Retain Video Access With Expired Passwords

A recently revealed flaw in Ring’s app didn’t require users to sign in again after a password change was made, allowing users who signed in with an expired password to remain logged in indefinitely, giving them full video viewing and video downloading privileges.


Ring’s login flaw was made public in a recent report from The Information. The article relays an anecdote about a Ring user realizing his ex-boyfriend retained continuing access to his video doorbell feed, even though the password had been changed.

Ring, which was acquired by Amazon earlier this year, claims it began to force users out — to make them log back in — after learning of the incident in January, but a test by The Information still found a window of a few hours in which an expired password user still had video access.

Ring made a statement about the incident, as shared by Engadget:

“Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security.

“We strongly recommend that customers never share their username or password. Instead, they should add family members and other users to their devices through Ring’s “Shared Users” feature. This way, owners maintain control over who has access to their devices and can immediately remove users.

“Our team is taking additional steps to further improve the password change experience.”

While Ring suggests everyone in your family — and other trusted users — should be added as a “shared user,” the story which revealed the flaw seems like a somewhat common scenario. How many other users retained video access to Ring’s video doorbells after a password change? We’ll never know.

It’s common practice for any secure sign-in to force users to log back in after a password change, so it’s a bit disconcerting that Ring wasn’t doing this. Ring’s “additional steps” should certainly include a quicker forced log out for any users with an expired password.

Phil Dzikiy

Phil Dzikiy

Phil Dzikiy is the former editor in chief of Security Baron. Before, he has worked as a freelance writer and editor at websites like Wirecutter.com and iLounge.com along with publications like the Lockport Union Sun & Journal and the Greater Niagara Newspapers. With digital and print experience under his belt, Phil has a passion for all things technology including home security, cyber security, and the smart home. His bachelor's degree in Journalism from the University of Maryland College Park initially landed Phil his first job at the Beaver County Times, which has lead to over 15 years of experience as a journalist.

Trending News

Follow Us