Security flaw in Ring Neighbors app exposed precise location of users

By Mike Peterson

A bug in the Ring Neighbors app exposed the precise location data and home addresses of users who posted on the neighborhood watch platform.

Credit: Ring

Public user posts on Neighbors are anonymized, but a security lapse in the app may have allowed attackers to retrieve sensitive user information that isn't normally accessible, a new report by TechCrunch claims.

While posts on Neighbors incorporate video footage from Ring products, they don't include publicly viewable names or location data. However, the flaw caused certain data like a user's latitude, longitude, and home address to become extractable from Ring's servers -- including data from the posts of users who had reported crimes.

Another issue is that every Neighbors post is tied to a unique number that the servers increment each time a user posts. That made it possible to enumerate location data from a user's previous posts.

In a statement to TechCrunch, Ring said that it had fixed the issue "soon after we became aware of it." It added that it didn't believe the hidden data was accessed or used maliciously.

The Ring Neighbors app was launched in 2018 as a hyperlocal social networking platform similar to Nextdoor and Citizen. Like the latter app, Ring's offering allows users to alert nearby neighbors to public safety issues in their communities. As of the end of 2020, Ring had about four million public posts.

This isn't the first time that Ring has faced privacy or security issues. In 2020, the Ring Android app was found to be spying on users. The year prior, Ring fired four employees who allegedly abuse "highly privileged access" to customer live feeds.

The Ring Neighbors app is also closely connected to Ring's law enforcement partnerships. Police are able to make posts on the platform and can use an online portal to collect footage posted on it.