Mine has been offline (internet access) for 3 months awaiting a fix. No one seems to understand why it is taking so long since this issues has been known for 6 months.
There is a fix posted on the forum, but that requires SSH’ing into the My Cloud and changing the firmware. This, in turn, could void your warranty so beware.
WD support came back to me with this update:
We were able to verify the information but unfortunately we do not currently have target date for the next WD Firmware release. Our engineering team is working on it and the next firmware version should be released soon.
I find it incomprehensible that an IT company can hope to do business like this. When you buy an internet ready cloud storage device, the assumption is that you can access it from the internet. I cannot understand why the engineering team is unable to give even a ballpark figure for how long to fix and test something (and SectorGZ says, this is hardly new). My assumption is that no effort is being made in this area and that focus is only on new devices. I can’t imagine that the device I buy to replace this is going to be from WD…
Last weekend I was visiting a friend, road trip, and he mentioned he just purchased a 4TB My Cloud and was having issues logging into the dashboard, I didn’t even knew he bought the device. I did a power on 40sec. reset and got into the dashboard to help him set the My Cloud up.
He is a HUGE music inficiato and purchased the device for primary storage and internet access for his devices and purposes. After explaining the security issues, turning off features (such as “Media Serving”) within his shares to make the My Cloud functional, etc., and showing him this forum with all the issues that are not being addressed he has decided to clear and return the My Cloud.
He was a big fan of WD as he owns many of their devices ( HDD’s, MyBooks, etc.) and is very disappointed that WD has taken such an approach to it’s customers. What could I say?
Could you please (as I have searched most everywhere and only really come up with poodle and heartbleed/shellshock) list the security vulnerabilities that is constantly being brought up about the device?
I only ask so that I can compare to my existing cloud and see where my device stands as I literally used it to replace my dropbox.
Pretty sure it is just Poodle, heartbleed and shellshock. January firmware upgrade addressed Freak.
These are the ones that ACMA is asking Australian ISPs to cut off customers for having…
If that’s the case my v4 firmware shows not vulnerable for poodle and I believe all shellshock/heartbleed.
poodlescan.com will take your public IP and scan it.
I purposely scanned mine and first tested vulnerable then updated ssl and tested not vulnerable after that.
From ssh I tested bash by using the command
curl https://shellshocker.net/shellshock_test.sh | bash
Everything came back not vulnerable.
Is there anything else I’m missing? Just want to make sure I’m secure enough.
I use the WD service https://www.wd2go.com which will redirect to https://mybooklive-device???.wd2go.com/Admin/webapp
What URL are you using for remote admin access to your device?
I don’t use wd2go.com, it never seems to want to work right for me. Could be because of my hosts blocking file on all my pc’s/tablets/laptops.
If I have to admin my device I vpn into my home network (via ddwrt).
To access the cloud device for files I use the wd app with port forwarding properly configured.
I could be mistaken in your question so apologies on that. If you are talking about adding/removing a device from your wd2go account I don’t do that either thanks to my vpn and/or the activation codes for cloud access.
I do know that I went through extra steps and backwards a couple of times to get my scans to show not vulnerable.
If I am also missing anything feel free to let me know. I plan on getting another 3tb mycloud just to play around with so that I can stop bringing down my main cloud whenever I want to try/test/change things.
When can we expect a fix for this? I am really disappointed that WD has known about this since at least october of last year and still have not came up with a fix!
Is WD still selling new My Cloud with this vulnerability or you guys just don’t want to fix the issue for people who bought the drive last year? Either way this is very unprofessional for a company
A security vulnerability (POODLE Attack, CVE-2014-3566) in the popular OpenSSL encryption software, which is widely used to secure Web-based communications and services, affects My Cloud and other WD personal cloud products through their function as a web server.
For all WD personal cloud products – My Cloud, My Cloud Mirror, My Cloud EX2, My Cloud EX4, My Cloud EX 2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Book Live and My Book Live Duo – a solution is being developed and is planned for availability within 90 days.
it’s good to know that there is a planned release date for the fix at last.
From my perspective, if this is a guaranteed date then I will wait for it rather than buying alternative kit.
From my understanding, it’s a hard date. We have committed to having it fixed by then.
Thanks for the security test info.
I got a slightly different result when I tested for shellshock.
WDMYCLOUD:~# curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7305 0 7305 0 0 240 0 --:--:-- 0:00:30 --:--:-- 1809
bash: line 1: syntax error near unexpected token `newline'
bash: line 1: `<!DOCTYPE html>'
WDMYCLOUD:~# Everything came back not vulnerable.
When I see
bash: line 1: syntax error near unexpected tokennewline’`
I am highly skeptical of the closing line
Everything came back not vulnerable.
When looking at what is actually downloaded, you’ll see
The initial connection between Cloudflare's network and the origin web server timed out. As a result, the web page can not be displayed.
near the end of the file.
Maybe there is a newer site for the shellschock test?