Latest firmware still vulnerable

Thanks Edith,

Some of us were unaware you had contacted Sam.  They let us know right away.

Bill

As for the delay (2days), I apologize for the inconvenience… But I already expended some energy (more than I should) reaching out, sent the vuln detail once prior, and not to be snarky… But I do have a job that pays me which always takes precedence over this. So you’re welcome for reporting this yet again on my weekend down time :). /rant

We’re definitely looking into the vulnerability issue now.  And, yes, snarkiness is accepted.  :smiley:

Good morning Edith,

The information that you’ve reported is being analyzed by our development and security teams.

Thank You,

Samuel Brown

So it’s been 8 months and your device is still vulnerable to user → administrator elevation via xss. Also non user of WD can remotely enable remote access on the device without creds to the device. A bit negligent to leave this unpatched for this long don’t you think? Any updates?

1 Like

In addition to posting to your thread you should, if you haven’t already, contact WD directly per their request.

We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com

https://community.wd.com/t/my-cloud-dns-security-vulnerability-4-15-16/160289

Hi, what version of the firmware are you using? Also, we have passed this along to support.

Afaik it’s the latest as of today - v04.04.03-113.

WD should have all the details. I shared it with them on 3 occasions via phone and email. It’s been 8months since then.

Here’s a screenshot showing script injection into the console by a non admin user.

Imgur

WoW!! this isn’t good at all :disappointed:

To Edith … although your original post was last October (Hard to believe nothing has been done about this), I Thank You for bringing this to WD’s attention again. Hopefully someone at WD will take this seriously.

Jesus…
Seems that I need to start visiting this forum more often.

@EdithKain
Please elaborate a little bit better.

This issue is related with cloud access, NAS only or with that poor apps?
Everyone is exposed to it or we need some specific settings?

Thanks.

WD support wants a dump of my router log to troubleshoot a simple xss I’m trying to report… [Deleted]?

It does come across as distinctly amatuerish.

But then so does their entire product family development path. If I were WD’s CEO, I’d be taking a serious look at my dev team.

Apparently WD support wants to ban me for saying “what the f…” In my last reply. So I guess I’ll be posting in a different forum not controlled by WD. If I was WD I’d want the responsible security folks on their forum. But apparently WD cares more about clean language in their forums than gaping security holes in their product. Fun times.

You need to learn to swear in English, not American. Then you can say what you bloody well like; for instance that WD can’t be arsed to do anything about about security flaws…

Actually, we take every security issue we encounter seriously. It’s just that it takes time to go through the process, and that would include router logs if we can get them.

Eight months…?

Not just 8months… But 8months for a 1 line code fix.

I know of no security issues that we have not addressed. Can you specify what issue you are referring to? A link to something, maybe, so I can take a look at it.

Fourth times a charm? I reported the old issue to Bill_S.

BTW, found another vulnerability in MyCloud. Gives me access to MyCloud without an account. I’ll report it to Bill_S via PM.

1 Like