I hope this marks a new attitude to security issues on WD’s part. I look forward to the more collaborative problem-solving, and keeping Users informed of identified security vulnerabilities, so they can make an informed choice on whether the level of risk is acceptable.
I did some checking into the threads you posted. In some of the threads users were simply posting questions and concerns. As for the actual vulnerabilities brought up in the threads, we have either already fixed them or will shortly. The vulnerabilities we have fixed can be found listed in the firmware release notes.
I want to reiterate, however, that we do take security issues seriously, and we do work towards making our products as secure as possible. So, if an issue arises, you can rest assured that we will jump on it right away. Moreover, we have been notifying users when we’ve identified legitimate security issues. I know because I’m the one that posts them in the forums.
Furthermore, and I’m not sure how aware users are of this, but WD has already become very proactive in soliciting help from users when product issues arise. We contact the users, usually within a day or so, to get as much information as we can to correctly identify and replicate the issue on our test products.
Finally, what you or others may perceive as silence, is simply us working with the affected users behind the scenes investigating the issue. If it turns out to be a real bug, there is nothing more that can be done until it is fixed in another firmware update, hence the apparent silence. What we have started doing more of is posting what has been fixed in a firmware update.
The command injection and CSRF vulnerabilities were discovered in firmware versions _ 04.01.03-421 _ and _ 04.01.04-422 _, with the latter being the most current version as of September 11th 2015. Previous versions may be affected as well as other WD NAS products.
…
Mitigation
What can the average user of the WD My Cloud and other products to do reduce the likelihood of becoming a victim of this attack? The surest way to resolve these exploits is to ensure that your WD My Cloud or any other product you own is updated to the latest firmware. This can be done by logging into your device and checking the availability of updates. However, not all devices will have an update available until September 21st 2015. So until your device is updated the following strategies can help reduce the likelihood of a successful attack:
Never click on links or download file attachments in e-mails or anywhere on the Internet from people or sources you do not know or trust. And even if you do trust them, verify the authenticity of the request.
Never submit credentials without first verifying the authenticity of the request. Who is asking? Why are they asking? Etc.
Disable WebRTC in your browsers. In FireFox this can be done with the Disable WebRTC plugin. In Chrome use the WebRTC Block plugin.
Restrict access to the My Cloud device to only trusted users that need access to it. Any authorized user of this device with enough technical knowledge can gain remote access to every file.
Disable remote access to the device if it is not needed.
Place the WD My Cloud on a separate subnet away from client machines.
