Unbelivable! An unsecured login page!! 
What a huge portion of dilettantism!!
Read the thread…
There are a number of security vulnerability disclosures both from Edith Kain (like this one posted up thread) and from the Exploitee.rs website, Engadget and others relating to the My Cloud firmware.
Point is, several security exploits have been reported to WD before they were made public. WD (for what ever reason) is not dealing with these exploits in a timely manor until they were made publicly available. Once made public someone at WD tried the age old tactic of pointing fingers to deflect blame to someone else rather than simply admitting there are exploits and fixing them in a timely fashion.
The Wirecutter article mentioned above:
http://thewirecutter.com/reviews/best-network-attached-storage/
HardOCP articles:
https://www.hardocp.com/news/2017/03/07/western_digital_responds_to_mycloud_security_issues/
https://www.hardocp.com/news/2017/03/06/all_your_western_digital_mycould_base_are_belong_to_us/
You may want to look up the difference between full disclosure and responsible disclosure. Responsible disclosure is akin to someone telling the cops your house is unlocked/unsecured. Full disclosure is akin to taking out a full page ad on New York Times and letting everyone know your house is unlocked. It’s called having restraint and putting the greater good above your own need to prove a point. Make sense?
In other news CNN is not fake news and gravity is real even though you can’t see it 
I’m not really sure of the point you’re trying to make.
Edith has tried a number of times to inform WD of a vulnerabilty, over a period of two years. WD have repeatedly failed to act on that warning, Considering that Edith has identified a proposed fix, you would think that two years would be enough for WD to confirm the vulnerability, and the fix. Regardless of how dangerous the vulnerability, it is a vulnerability, and a responsible company would correct it.
This lack of response is indicative of a poor corporate policy towards security, and this response has been found by a number of black hat researchers.
There comes a point where legitimate researchers essentially have to ‘name and shame’ in an attempt to get a corporation to respond in a responsible manner.
There are many other examples that demonstrate that WD are not maintaining their firmware with a responsible attitude towards firmware security; witness the number of linux packages that are years out of date, and not even fully released versions.
IMHO, WD deserve all the bad publicity they may get, regarding their poor support for their embedded firmware, not to mention their removing advertised features (remote mapping of the drive), or poor support for advertised features of their product (Twonky media server).
Well, that’s good, but the vast majority of WD customers don’t have the time or experience to start re-writing WD’s code.
And neither should they have to; customers have paid for a product marketed as a secure personal cloud. WD really ought to be maintaining their code.
If I disable internet access in my router for the IP of the WD MYcloud, is enought to have this device as a LAN network only, and protected from the vulnerabilities?
I agree in this enquiry of @TM2017. Would be helpful for all us “noobs” if the “experts” would not only discuss some technical or ethic detail stuff but also to give the lot of us less experienced users some short advices what easy measures we could do to at least reduce the dangers …
On the other hand I would expect such advices by WD - but think we could wait for ages before they would give voice in this matter… absolutely disappointing…
I believe the vulnerabilities show that even if you disable internet access at the router for the MyCloud and have a mapped drive on any PC you are vulnerable, assuming your PC has internet access. The exploits can see your MyCloud through your mapped drive on a PC and therefore gain access.
Thanks for the reply, but what do you mean by mapped drive? Even if I have the cloud enable in the Dashboard and Internet access disable in the router side, how it is still vulnerable?
I’m not an expert I just want to have my mycloud connected to the lan network without using “cloud” until they fix the vulnerabilities, if they fix.
Not knowing what version your MyCloud is (Gen1 or Gen2) and not knowing what OS you are running this answer is kinds vague, but your best bet would read the user manual for your version of MyCloud. These are posted on the WD support site.
In general Drive mapping is how operating systems, such as Microsoft Windows, associate a local drive letter (A through Z) with a shared storage area to another computer over a network.
Read post #174
You may:
- disable remote access on mycloud ui
- block internet access to mycloud hdd on your router (by mac or ip)
- disable httpd service
But nobody can assure that all this will be enough.
@ultra_maximum
@dswv42
Thanks a lot, guys, for this very useful advices and input!
I know, there is no 100% securtity - but at least it helps me to decrease the risks…
Thanks 
“Million dollar question” do you know when they will release a new version?
A crystal ball seems to be needed for this…
Most here are users/customers just like yourself. We do not work for WD so we have no clue or idea when WD will (if ever) release new firmware for the other WD My Cloud versions (they’ve only released firmware for three other models currently) that address some or all of the publicly reported security vulnerabilities. Keep an eye on the following page for updates as well as the current subforum:
https://community.wd.com/c/announcements-and-discussions/news-announcements
On a side note we did a little speculating at one point with posting firmware release dates in either this or the other discussion on the vulnerabilities. See the following two posts earlier in the current thread.
https://community.wd.com/t/latest-firmware-still-vulnerable/96743/114
https://community.wd.com/t/latest-firmware-still-vulnerable/96743/115
Unfortunately for the single bay/single drive My Clouds WD decided that users cannot set the main Public Share to Private through the Dashboard, meaning there will always be one Public Share that anyone can access on the My Cloud if one can gain access to the My Cloud.
Currently one would have to use SSH to modify the firmware files to disable the Public Share or change its settings. Its something that has been complained about several times in the past.
https://community.wd.com/t/public-share-public-access-on/96854
https://community.wd.com/t/removing-public-share-wd-mycloud/137086
The Cloud Ideas request (so far unheeded by WD):
https://community.wd.com/t/manage-public-share-user-access-at-least-a-read-only-option/97231
I just checked your link.
For two days there are additional updates for Mirror, EX2, EX4.
Not yet for EX2Ultra I need…
WD is committed to… (please complete the sentence)
…not give updates 
