The Notebook Review forums were hosted by TechTarget, who shut down them down on January 31, 2022. This static read-only archive was pulled by NBR forum users between January 20 and January 31, 2022, in an effort to make sure that the valuable technical information that had been posted on the forums is preserved. For current discussions, many NBR forum users moved over to NotebookTalk.net after the shutdown.
Problems? See this thread at archive.org.

    Critical Unpatched Flaws Disclosed In Western Digital 'My Cloud' Storage Devices

    Discussion in 'Hardware Components and Aftermarket Upgrades' started by Dr. AMK, Jan 5, 2018.

  1. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,961
    Messages:
    2,182
    Likes Received:
    4,654
    Trophy Points:
    281
    Dr. AMK, Jan 5, 2018
    #1
    Papusan, hmscott and downloads like this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,110
    Messages:
    20,384
    Likes Received:
    25,139
    Trophy Points:
    931
    Western Digital 'My Cloud' devices have a hardcoded backdoor -- stop using these NAS drives NOW!
    By Brian Fagioli Published 6 hours ago
    https://betanews.com/2018/01/07/western-digital-mycloud-backdoor/

    "I must be honest -- I am starting to become fatigued by all of the vulnerabilities and security failures in technology nowadays. Quite frankly, between Spectre and Meltdown, I don't even want to use my computer or devices anymore -- I feel exposed.

    Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files could be at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017. Let's be realistic -- not everyone stays on top of updates, and a backdoor never should have existed in the first place.

    "Exploiting this issue to gain a remote shell as root is a rather trivial process. All an attacker has to do is send a post request that contains a file to upload using the parameter 'Filedata[0]', a location for the fileto be upload to which is specified within the 'folder' parameter, and of course a bogus 'Host' header," says James Bercegay, GulfTech Research and Development.

    Bercegay further explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."

    But wait -- why does a Western Digital product have a hardcoded username containing dlink? Weird right? The researchers did some investigating and found that the WD NAS devices once shared code with D-Link "Sharecenter" devices. Interestingly, these D-Link devices were issued patched firmware in 2014 and no longer contain the backdoor.

    Bercegay shares the timeline below. As you can see, WesternDigital had plenty of time to fix this. It was reported in June of last year, but apparently, nothing was done for many months.
    • 2017-06-10: Contacted vendor via web contact form. Assigned case #061117-12088041.
    • 2017-06-12: Support member Gavin referred us to WDC PSIRT. We immediately sent a PGP encrypted copy of our report to WDC PSIRT.
    • 2017-06-13: Received confirmation of report from Samuel Brown.
    • 2017-06-16: A period of 90 days is requested by vendor until full disclosure.
    • 2017-12-15: Zenofex posts disclosure of the upload bug independantly of my research
    • 2018-01-03: Public Disclosure
    If you aren't sure if your My Cloud Storage device is affected, please check against the below list. If your model is listed, you should unplug it from Ethernet immediately. Apparently, firmware 2.30.165 (issued November 2017) fixes the bug, so do not reconnect to the internet until you are sure that your device is updated and the vulnerability is patched.
    • MyCloud
    • MyCloudMirror
    • My Cloud Gen 2
    • My Cloud PR2100
    • My Cloud PR4100
    • My Cloud EX2 Ultra
    • My Cloud EX2
    • My Cloud EX4
    • My Cloud EX2100
    • My Cloud EX4100
    • My Cloud DL2100
    • My Cloud DL4100
    Please know, even if you updated the firmware in November, your files could have been accessed by nefarious people before then -- for years. That is very scary.

    How does this situation affect your opinion of Western Digital? Tell me in the comments below."
     
    hmscott, Jan 7, 2018
    #2
    Dr. AMK likes this.
  3. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,961
    Messages:
    2,182
    Likes Received:
    4,654
    Trophy Points:
    281
    Thanks God, I was trying to buy few of them few weeks ago for trading, there is a stock in the US almost with half price for the 4TB. All technology owners will never stop doing whatever they can to get inside our life, hacking our privacy of the name of "Anything".
     
    Dr. AMK, Jan 8, 2018
    #3
    Papusan and hmscott like this.