Latest firmware still vulnerable

You need to learn to swear in English, not American. Then you can say what you bloody well like; for instance that WD can’t be arsed to do anything about about security flaws…

Actually, we take every security issue we encounter seriously. It’s just that it takes time to go through the process, and that would include router logs if we can get them.

Eight months…?

Not just 8months… But 8months for a 1 line code fix.

I know of no security issues that we have not addressed. Can you specify what issue you are referring to? A link to something, maybe, so I can take a look at it.

Fourth times a charm? I reported the old issue to Bill_S.

BTW, found another vulnerability in MyCloud. Gives me access to MyCloud without an account. I’ll report it to Bill_S via PM.

1 Like

Again Edith, Thank You for sticking with it.

Yes, security issues pop-up in any software that is created, but 8 months is way too long to keep asking for information that has been pointed out to WD already. Part of the development teams job should be finding these and other issues as they develop -or- accomplish it in a testing program before publicly releasing the software (Firmware).

I know Bill_S has helped me in the past, especially in getting a “ball rolling” for certain issues, hopefully he can in this case also. This, at least to me, is a VERY serious security issue if anyone can get access or take control of a My Cloud.

Sent Bill the issue and the one line code change needed to fix it. They can literally copy paste my message to plug the hole. The fix is 4 bytes long. Let’s see how long it takes to copy paste and deploy a patch.

1 Like

Well, to be fair, they will have to check that your four byte edit isn’t itself inserting a back door or degrading security… In order to do that, they’ll have to understand the vulnerability, and understand their code, and the nature and effect of your fix, then build it and regression test the new build.

By 4 byes I really meant 4 ascii characters. So perhaps it’s 28bytes using 7bits per character. A seasoned developer will be able to ascertain its impact, regression risk, etc and patch it in less than 10minutes.

I definitely got the ball rolling.

@EdithKain is the security issue you brought up in the private message the old or a new issue? If so, can you link me back to the original issue you brought up so I can follow up on that as well.

You have two vulnerability reports in your inbox. One is old the other is new.

I see it now.

Almost 9 months and still vulnerable. It’s a 1 line code change…

2 Likes

Ok it’s been 1.5 years. The vulnerability I reported is still present in the latest firmware. Reported in 2015 still reproes in 2017. Seriously, wtf?

1 Like

This issue refers to MyCloud 1. Generation units as I see, right?
What about the 2. Gen. units?

Do what every other white hat does and post the vulnerability publicly, and make sure WD knows you have done so. That seems to the only way to get action on something like this.

1 Like

If you still see a vulnerability, you will need to push it through support. That’s the best way to go.

Contact Support

I would like to know if this issue refers only to the 1.Generation units?

I don’t have gen 2 hardware so I’m not sure. But isn’t gen 2 just a bump in hardware spec? I suspect much of the web interface used in both (which is where the issue is) would be the same. Forking it wouldn’t make sense so I’d bet the bug would exist in both gen 1 and 2. No way I’m shelling out money to buy gen 2 after this poor experience… :frowning:

I can try reporting it for the 5th time. I’m going to need a shot for having to report this so many times.

There are 2 vulns. One of them allows anyone to add an evil user account to your wd drive from the internet.