A security researcher recently contacted Western Digital identifying DNS-configuration vulnerabilities in a server supporting the My Cloud family of products. Within a few hours of notification, we changed the configuration and eliminated the vulnerability to enumerate domain names without authorization. Beyond the security researcher’s report, we have no evidence that any other unauthorized access was made prior to the elimination of the reported vulnerability. In addition, we performed an architecture and code review to measure the potential impact of other risks identified by the security report. Based on that review, we have prepared a balanced response that, in the event of detection of any active attacks, will mitigate those identified risks while minimizing potential disruptions to our customers.
We sincerely thank John W. Garrett for engaging Western Digital to responsibly disclose this concern in a manner that puts our customers and their security first. We highly value and encourage this kind of responsible community engagement and collaborative problem-solving because it ultimately benefits our customers by making our products better. We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com.
