Hi @WD_Admin2 - thanks for the update. However, it says in the post:
"…if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. "
How is this acceptable? This is one of the core functionalities of the WD My Cloud Mirror. The fact that “cloud” is in the name of the device, it implies that one should be able to access it from the cloud. With the directive to disable Dashboard Cloud Access and to remove port forwarding, it is single handedly cauterizing the fundamental functions of this device. By doing so, we are converting this into a simple NAS volume. I could have paid far less if all I was going to get was a simple, LAN-access only NAS device.
Furthermore, the post states:
We are working on a firmware update for this issue and will make it available on our support download site as soon as possible.
Can you provide parameters for what would be deemed an acceptable amount of time which satisfies “as soon as possible” ? A week? A month? A year? How long should we wait for a firmware update from WD to patch a vulnerability that was:
Patched by D-Link back in July 2014 on the DNS-320L model, from which WD ripped-off the source code (why didn’t WD patch the vulnerability after D-Link released the patch?) (Source)
Was disclosed to WD in June 2017, was confirmed by WD that the vulnerabilities exist, and committed to resolving the issue within 90 days, and failed to be patched by Jan 3, 2018 - nearly 180 days from when you acknowledged the vulnerability. (Source)
It appears that this exploit didn’t deserve WD’s serious attention until it made it into the media. That is irresponsible and unacceptable accountability from a company that apparently has “…the best selling NAS (network attached storage) device listed on the amazon.com website…” (Source).
What do you have to say for yourselves?