Latest firmware still vulnerable

Good morning Edith,

The information that you’ve reported is being analyzed by our development and security teams.

Thank You,

Samuel Brown

So it’s been 8 months and your device is still vulnerable to user → administrator elevation via xss. Also non user of WD can remotely enable remote access on the device without creds to the device. A bit negligent to leave this unpatched for this long don’t you think? Any updates?

1 Like

In addition to posting to your thread you should, if you haven’t already, contact WD directly per their request.

We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com

https://community.wd.com/t/my-cloud-dns-security-vulnerability-4-15-16/160289

Hi, what version of the firmware are you using? Also, we have passed this along to support.

Afaik it’s the latest as of today - v04.04.03-113.

WD should have all the details. I shared it with them on 3 occasions via phone and email. It’s been 8months since then.

Here’s a screenshot showing script injection into the console by a non admin user.

Imgur

WoW!! this isn’t good at all :disappointed:

To Edith … although your original post was last October (Hard to believe nothing has been done about this), I Thank You for bringing this to WD’s attention again. Hopefully someone at WD will take this seriously.

Jesus…
Seems that I need to start visiting this forum more often.

@EdithKain
Please elaborate a little bit better.

This issue is related with cloud access, NAS only or with that poor apps?
Everyone is exposed to it or we need some specific settings?

Thanks.

WD support wants a dump of my router log to troubleshoot a simple xss I’m trying to report… [Deleted]?

It does come across as distinctly amatuerish.

But then so does their entire product family development path. If I were WD’s CEO, I’d be taking a serious look at my dev team.

Apparently WD support wants to ban me for saying “what the f…” In my last reply. So I guess I’ll be posting in a different forum not controlled by WD. If I was WD I’d want the responsible security folks on their forum. But apparently WD cares more about clean language in their forums than gaping security holes in their product. Fun times.

You need to learn to swear in English, not American. Then you can say what you bloody well like; for instance that WD can’t be arsed to do anything about about security flaws…

Actually, we take every security issue we encounter seriously. It’s just that it takes time to go through the process, and that would include router logs if we can get them.

Eight months…?

Not just 8months… But 8months for a 1 line code fix.

I know of no security issues that we have not addressed. Can you specify what issue you are referring to? A link to something, maybe, so I can take a look at it.

Fourth times a charm? I reported the old issue to Bill_S.

BTW, found another vulnerability in MyCloud. Gives me access to MyCloud without an account. I’ll report it to Bill_S via PM.

1 Like

Again Edith, Thank You for sticking with it.

Yes, security issues pop-up in any software that is created, but 8 months is way too long to keep asking for information that has been pointed out to WD already. Part of the development teams job should be finding these and other issues as they develop -or- accomplish it in a testing program before publicly releasing the software (Firmware).

I know Bill_S has helped me in the past, especially in getting a “ball rolling” for certain issues, hopefully he can in this case also. This, at least to me, is a VERY serious security issue if anyone can get access or take control of a My Cloud.

Sent Bill the issue and the one line code change needed to fix it. They can literally copy paste my message to plug the hole. The fix is 4 bytes long. Let’s see how long it takes to copy paste and deploy a patch.

1 Like

Well, to be fair, they will have to check that your four byte edit isn’t itself inserting a back door or degrading security… In order to do that, they’ll have to understand the vulnerability, and understand their code, and the nature and effect of your fix, then build it and regression test the new build.