WD My Cloud - share password bypassed by Android ES File Explorer

my 2TB WD My CLoud is running firmware v04.00.00-607

I have set it up with 3 shares

  1. a public one with DLNA enabled

  2. a public one without DLNA

  3. a private one - without DLNA and which requires username/pwd to be accessed.

There is only one user defined on the WD and it’s the only user to have full access to share#3.

On my laptops (mac / linux / windows ) when trying to access share#3 I get correctly challenged to enter my credentials.

If I use Android’s ES File Explorer, i can just select the LAN tab, select the ip address of the WDMyCloud, and select the private share, and voila’ I’m in and can access its contents. I cannot write, but I can read everything.

Notably, ES also shows the system share “IPC$” (not shown on mac/linux) but that is unaccessible.

I have repeated the test - creating a new user, a new private share for her etc. the result is the same.

This looks to be a scurity bug, please fix ASAP

I am always prompted via ES File Explorer for credentials – unless I told ES to save them.

Are you sure you haven’t done that?

Hello,

We have passed this along to support.

TonyPh12345 wrote:

I am always prompted via ES File Explorer for credentials – unless I told ES to save them.

 

Are you sure you haven’t done that?

 

sure.

As I said in my original post - I retested by creating a new user and a new share private to her, and the result was the same.

Interesting, I would like to add to this that I use WD Live TV to access WDMyCloud as DLNA.

IF i log in as anonymous, I can see all private shares and play videos without logging in (DLNA enabled on private shares but they are password protected).

I am also on firmware v04.00.00-607

DLNA has no privacy or protection, so it will not ask for passwords because there are none.

I have updated the WD My Cloud firmware today. v04.00.01-623

I have been unable to reproduce my issue again.

I tried having two users with a private share each and other public shares.

When using Android  ES file explorer, depending on whether I have defined the server as anonymous, user1 or user2, I can now access the folders correspondingly as expected.

I emailed support to let them know I am no longer able to reproduce the issue.

I would like to reopen this question as it is no longer resolved. ES File Explorer is able to bypass all passwords.

My Firmware info:

Current Version WDMyCloud v04.01.00-408 : Core F/W

Last Update Tuesday, October 28, 2014 5:19:26 AM

As of today (Nov 9, 2014) it has not been resolved.