Data: CASIE
Negative Trigger
details
of
a
vulnerability
in
a
popular
cloud
storage
drive
after
the
company
failed to issue
Vulnerability-related.PatchVulnerability
security
patches
for
over
a
year
.
Remco
Vermeulen
found
Vulnerability-related.DiscoverVulnerability
a
privilege
escalation
bug
in
Western
Digital
’
s
My
Cloud
devices
,
which
he
said
Vulnerability-related.DiscoverVulnerability
allows
an
attacker
to
bypass
the
admin
password
on
the
drive
,
gaining
“
complete
control
”
over
the
user
’
s
data
.
The
exploit
works
because
drive
’
s
web-based
dashboard
doesn
’
t
properly
check
a
user
’
s
credentials
before
giving
a
possible
attacker
access
to
tools
that
should
require
higher
levels
of
access
.
The
bug
was
“
easy
”
to
exploit
,
Vermeulen
told
TechCrunch
in
an
email
,
and
was
remotely
exploitable
if
a
My
Cloud
device
allows
remote
access
over
the
internet
—
which
thousands
of
devices
do
.
He
posted
a
proof-of-concept
video
on
Twitter
.
Details
of
the
bug
were
also
independently
found
Vulnerability-related.DiscoverVulnerability
by
another
security
team
,
which
released
its
own
exploit
code
.
Vermeulen
reported
Vulnerability-related.DiscoverVulnerability
the
bug
over
a
year
ago
,
in
April
2017
,
but
said
the
company
stopped
responding
.
Normally
,
security
researchers
give
90
days
for
a
company
to
respond
,
in
line
with
industry-accepted
responsible
disclosure
guidelines
.
After
he
found
Vulnerability-related.DiscoverVulnerability
that
WD
updated
Vulnerability-related.PatchVulnerability
the
My
Cloud
firmware
in
the
meanwhile
without fixing
Vulnerability-related.PatchVulnerability
the
vulnerability
he
found
Vulnerability-related.DiscoverVulnerability
,
he
decided
to
post
Vulnerability-related.DiscoverVulnerability
his
findings
.
A
year
later
,
WD
still
hasn’t released
Vulnerability-related.PatchVulnerability
a
patch
.
The
company
confirmed
Vulnerability-related.DiscoverVulnerability
that
it
knows
Vulnerability-related.DiscoverVulnerability
of
the
vulnerability
but
did
not
say
why
it
took
more
than
a
year
to
issue
Vulnerability-related.PatchVulnerability
a
fix
.
“
We
are
in
the
process
of
finalizing
a
scheduled
firmware
update
that
will resolve
Vulnerability-related.PatchVulnerability
the
reported
issue
,
”
a
spokesperson
said
,
which
will arrive
Vulnerability-related.PatchVulnerability
“
within
a
few
weeks.
”
WD
said
Vulnerability-related.DiscoverVulnerability
that
several
of
its
My
Cloud
products
are vulnerable
Vulnerability-related.DiscoverVulnerability
—
including
the
EX2
,
EX4
and
Mirror
,
but
not
My
Cloud
Home
.
In
the
meantime
,
Vermeulen
said
that
there
’
s
no
fix
and
that
users
have
to
“
just
disconnect
”
the
drive
altogether
if
they
want
to
keep
their
data
safe
.