@Lauri_Lehto I found a security issue with WD Sync and MC in general. I have disabled the cloud access to my MCM until this can be addressed via firmware update.
In short, your files can be accessed by someone other than yourself. Videos and files were being transferred over HTTP and not HTTPS. I’m surprised no security experts have not call WD after Versprite identified in August. Security holes should have been plugged with a top to bottom review.
“Remote access is typically done through the client application, which
is available for Windows, Mac, Android, and iPhone. This client
application is just a GUI front-end for the RESTful API mentioned
before. VerSprite found that any authorized remote user of the device
can remotely execute commands and steal files belonging to other users
regardless of their permissions by abusing functionality within the
RESTful api and the client applications. Worse yet, the attacking user
will have root access to the NAS in a private internal network, so more
can be at stake since an attacker can use this to pivot through the
network.”
Command Injection in the WD My Cloud NAS
http://versprite.com/og/command-injection-in-the-wd-my-cloud-nas.html/
Video
