'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
Eufy responds to camera security concerns
Eufy has been the subject of public criticism for the past couple weeks since customers reported multiple security flaws in its camera system. As of Monday, an update has been rolled out to the Eufy Security app to add a statement disclosing that thumbnail images will be uploaded to the company's cloud servers.
The new update adds the missing disclaimer.
The fix for the app comes after reports that Eufy security cameras were sending captured images of the camera feed and detected faces to AWS cloud servers, even when the cloud storage option on the app's settings was turned off.
The Eufy Security app gives users the option to have push notifications show only text, or text and a thumbnail of the image captured by the camera. These photos are only sent to the cloud when a customer chooses to have the push notifications on their phones display the thumbnail.
Storing images on the cloud is par for the course for security cameras that send photo thumbnail push notifications to Android devices and iPhones; the problem here is that Eufy never disclosed that to its customers. In fact, it previously emphasized the idea that customers' data is kept local and private, appealing to people who prefer local storage for privacy.
Also: We are still failing to learn the most important lesson in cybersecurity
As evidenced by an email from Eufy reported by information security consultant Paul Moore, the company knew of this contradiction, while supposedly working on fixing the issue with the new HomeBase 3. The company also said it would "encrypt the API between the browser and the server to avoid plaintext URL display," which just means the uploaded data will be hidden better.
Personally, I like to keep my push notifications with no thumbnails to prevent these issues.
The new disclaimer added to the Eufy Security app.
ZDNET asked for comment but have yet to hear if the company will address the issue of people being able to view the camera feeds using VLC player and a URL, no authentication required. If the sound of that makes you want to switch off your Eufy cameras and hurl them into the abyss, you're not alone.
Review: Why I'm not getting rid of my Eufy cameras yet
However, keep in mind that for someone to actually obtain access to your video feed this way, they'd need to log in to your account using your information and password to get a unique URL for the camera feed, which changes for each stream. They'd also need to accurately guess when the camera is streaming, which is when an event happens that triggers the camera to record or when someone is viewing the live feed.