Recycle Bin Vulnerability

Model: My Cloud Pro PR4100
Firmware Version : 2.21.126

To guard against crypto ransomware and other threats, I recently created a new user account and granted it “Read Only” access to the shares/files stored on my NAS. However, I was horrified to discover that this user account has network (Samba) “Read/Write” access to the recycle bins for ALL shares.

In this case, I believe that the logged in user account should have the same permissions that are granted to the share which the Recycle Bin is associated with.

For Example:

SHARE_1 (Read Only)
SHARE_1_RECYCLED (Read Only)

SHARE_2 (Deny Access)
SHARE_2_RECYCLED (Deny Access)

SHARE_3 (Read / Write)
SHARE_3_RECYCLED (Read / Write)

This is a HUGE security vulnerability, so I suggest fixing it ASAP.

You might want to consider reporting this to support rather then just in this forum.

In the past, I’ve tried reporting similar issues to support, but it was more trouble than it was worth. All I got for my trouble was scripted responses, requests for invasive logs, and escalations that went nowhere.

Posting to a public forum can sometimes be much more effective than you might think, even if there is never an official response. Darkness withers in the light…