Information security consultancy SEC Consult has exposed a major vulnerability in Western Digital’s My Cloud storage devices, rendering them easy hijack targets.
Anyone who can reach the administrative web server, either through the public Internet or a user’s private network, can execute arbitrary commands on the machine and upload files. On top of this, WD’s firmware also has cross-site request forgery vulnerabilities. Anyone surfing to a compromised site could lose control of their My Cloud device.
Back in January, SEC Consult gave WD a ninety-day window to fix the holes before going public with its findings – but since then a third party has blown the whistle. As there’s no immediate solution on the horizon, best advice is to firewall or unplug My Cloud and sit tight.