Wdphotos security issue

So I have reported this issue several times now, added comments and ratings to Android app store to reflect it and yet nobody seems care to want to fix this.

Issue: While accessing the cloud device via the wdphotos app a user is able to see all folders regardless if they have permission to do so. Revealing folder naming information is a security issue especially if you purposely don’t want users to see them. I know I certainly don’t want my customers or other users downloading the wdphotos app and then seeing all of my other customer folders via it. The main wdmycloud app does not have this issue and you only see what folders you have minimal read access to but you cannot keep someone from downloading the photos app.

How many people have you given access to your My Cloud?

I don’t think there is an easy workaround for this one. You could consider creating shares with random numbers instead of meaningful share names. The problem is that the NAS uses a built in media scanning, thumbnailing, indexing, downsizing to make the WDPhoto app run easily.

You could disable these services altogether, then WDPhoto would not work anylonger, but WDmycloud could. I didn’t try. You might want to ask in this post:

http://community.wd.com/t5/WD-My-Cloud/Sleeping-problem-is-worse-then-we-thought/m-p/687165

This issue is not just with the share names but with every folder structure under the share.  I don’t see how this is such a difficult thing to fix when the main wdmycloud app does not have this issue. If you remove permissions from a share that folder and anything below it simply dissappears from your view.

If it cant be fixed then I would recommend 2 options.

  1. remove the wdphotos app from all app stores and stop providing it to the public

  2. remove all users and permissions settings from the device overall and simply make it all public. After all why have the settings if you can’t enforce them.

I have many users that have access to my device for personally and business reasons.  Family members, business partners, etc… I set up folders that are globally readable by all users and many that are only viewable by specific customers.