A vulnerability within Ring’s Neighbors application resulted in the disclosure of users’ exact locations and residential addresses stemming from their contributions to the app.

Ring, a company specializing in video doorbells and home security systems that was acquired by Amazon for $1 billion, introduced Neighbors in 2018 as a distinct feature within its dedicated application. Neighbors functions as one of several neighborhood monitoring applications, similar to Nextdoor and Citizen, enabling users to anonymously inform local residents about criminal activity and public safety concerns.

Although user submissions are publicly accessible, the application does not display user names or specific locations—however, many posts incorporate video footage from Ring doorbells and security systems. The discovered flaw allowed for the retrieval of location information associated with users’ posts, including those reporting incidents of crime.

Critically, this sensitive data was not readily visible to standard app users. Instead, the bug facilitated the extraction of concealed data, encompassing the user’s latitude, longitude, and home address, directly from Ring’s servers.

A further complication was that each post was linked to a unique numerical identifier generated by the server, incrementing with each new user submission. While this number was not displayed to the user within the app, the sequential nature of these post identifiers allowed for the systematic enumeration of location data from prior posts—even those originating from users in distant geographic locations.

Ring has stated that the issue has been resolved.

“At Ring, we prioritize customer privacy and security above all else. We promptly addressed this issue once it came to our attention. We have found no indication that this information was accessed or misused,” stated Ring spokesperson Yassi Shahmiri.

Last year, Gizmodo identified a comparable flaw in the Neighbors app that revealed hidden location data, allowing them to map the locations of thousands of Ring users throughout the United States.

Ring is currently involved in a class-action lawsuit brought by numerous individuals who allege they experienced death threats and racially motivated abuse following unauthorized access to their Ring smart cameras. In response to these security breaches, Ring initially attributed responsibility to users for failing to implement “best practices,” such as enabling two-factor authentication, which enhances account security.

Following reports of hackers developing tools to compromise Ring accounts and the discovery of over 1,500 user account passwords on the dark web, Ring mandated two-factor authentication for all users.

The smart technology company has also encountered growing scrutiny from civil rights organizations and legislators regarding its close collaborations with numerous U.S. law enforcement agencies, who have partnered with Ring to gain access to footage from homeowners’ doorbell cameras.