- Joined
- May 18, 1997
- Messages
- 55,601
The Exploiteers have been having some fun with its Western Digital MyCloud NAS system, and quite possibly have been having fun with your WD MyCloud device or system as well. Its writeup logs not just one or two security issues with the MyCloud systems, but an entire host of security issues. If you own any Western Digital MyCloud device, you might want to consider taking off your network at the moment now that all of this is public. Then again, if you want those "private" family moments exposed, leave it plugged in!
At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a “Pwnie for Lamest Vendor Response” in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices.
I did reach out to Western Digital about these issues, and got the following response this morning, so at least we know WD knows....now.
I am working with our team now on this and will hopefully have a respond by end of day.
At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a “Pwnie for Lamest Vendor Response” in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices.
I did reach out to Western Digital about these issues, and got the following response this morning, so at least we know WD knows....now.
I am working with our team now on this and will hopefully have a respond by end of day.