Reporting security vulnerabilities

I bought a new drive today and upon setting it up I’ve passively noticed a security vulnerability in WD MyCloud drive.  Does anyone know where I can report this to?  I can’t find direct contact info for reporting security issues.  I’ve also tried creating a support ticket but the system appears to be down. (It doesn’t let me create a new ticket on Win10)  I obviously want this fixed before I start uploading all my personal info to this drive…  Any help appreciated.  Thanks!

EdithKain wrote:

I bought a new drive today and upon setting it up I’ve passively noticed a security vulnerability in WD MyCloud drive.  Does anyone know where I can report this to?  I can’t find direct contact info for reporting security issues.  I’ve also tried creating a support ticket but the system appears to be down. (It doesn’t let me create a new ticket on Win10)  I obviously want this fixed before I start uploading all my personal info to this drive…  Any help appreciated.  Thanks!

I’ve noticed that serious issues reported here get forwarded to WD personel by the moderators. There are quite a few very engaged folks here who have posted, would you mind sharing in more detail the vulnerability you passively noted?

EdithKain wrote:

I bought a new drive today and upon setting it up I’ve passively noticed a security vulnerability in WD MyCloud drive.  Does anyone know where I can report this to?  I can’t find direct contact info for reporting security issues.  I’ve also tried creating a support ticket but the system appears to be down. (It doesn’t let me create a new ticket on Win10)  I obviously want this fixed before I start uploading all my personal info to this drive…  Any help appreciated.  Thanks!

What is the security vulnerability? There have been a topic or two where people thought there was a security vulnerability with the WD My Cloud that turned out to be the standard operating procedure for the drive and not a security vulnerability.

It’s the type of vuln that companies with security bounty program has paid $5000 for. Posting the details here is equivalent of doing a FD and putting everyone (including myself) at risk. So sadly I can’t post the details in a public forum.

And you found this vulnerability ‘passively’ (i.e. you stumbled upon it rather than deliberately searching for security vulnerabilities)?

Kudos.

A number of people in the past have asked for details of a security contact at WD. None has been forthcoming from the WD reps that sometimes visit the forum. Your best hope is to try Support again, or, failing that, try contacting one of the moderators using a PM; you’ll find some obvious candidates in the sticky threads.

WD really should setup a vulnerability reporting email. In a world where companies are offering bounty (and competing for researchers time with higher bounties) to secure their product; not having an endpoint for collecting FREE vuln info is akin to burying their head in the ground. Its surpasses incompetence and is treading into negligent territory.

Gotta wonder how many low hanging  0-days remain unreported since it’s too cumbersome to report issues? More tangibly, wonder what happened to the command injection vuln found last year at black hat?  

Oh well. 

Thanks for for all the suggestions for how I might mine this forum for promissing contacts. My vuln report is just one issue.  Seems like there’s a larger systemic issue that my single vuln report won’t solve.  I’ll check WD products again in a few years.  Till then be safe!

1 Like

EdithKain wrote:

WD really should setup a vulnerability reporting email. In a world where companies are offering bounty (and competing for researchers time with higher bounties) to secure their product; not having an endpoint for collecting FREE vuln info is akin to burying their head in the ground. Its surpasses incompetence and is treading into negligent territory.

 

Gotta wonder how many low hanging  0-days remain unreported since it’s too cumbersome to report issues? More tangibly, wonder what happened to the command injection vuln found last year at black hat?  

 

Oh well. 

 

Thanks for for all the suggestions for how I might mine this forum for promissing contacts. My vuln report is just one issue.  Seems like there’s a larger systemic issue that my single vuln report won’t solve.  I’ll check WD products again in a few years.  Till then be safe!

I have a great deal of respect for Western Digital HARDWARE. I certainly don’t think that wrt consumer security that they are ready for prime time! I’ve completely disabled Internet access to MC at my router and use it effectively in home.

Taking WD off the Internet doesn’t help if you have at least one machine that a) has access to my cloud and also b) access to the Internet.  Remember, all webpages (including ads) you load in your browser from the Internet can initiate request to your intranet resource without traversing back to the Internet.  By design your browser can proxy all Internet request to intranet resource.  A simple vuln in WD that enables you to cross domain boundary can be fatal.  Just something to be mindful of.

Hello EdithKain

My name is Samuel Brown and I can put you in contact persons within our organization that handle such matters.

I’ll PM you for contact information.

Thank You

Samuel Brown