A vulnerability in the Ring’s Neighbors app was the ability to display the exact locations and home addresses of the users who posted to the app.
Ring, the $ 1 billion video doorbell and home security startup acquired by Amazon, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood surveillance apps like Nextdoor and Citizen that allow users to anonymously alert local residents of crime and public safety issues.
While users’ posts are public, the app does not display names or exact locations. However, most of them contain videos captured by ringtones and security cameras. The bug made it possible to get the location data of users who posted on the app, including those who report crimes.
However, the exposed data was not visible to anyone using the app. Rather, the mistake was trying to get hidden information, including the user’s latitude, longitude and home address, from Ring’s servers.
Another problem was that every post …