Discovered Vulnerability-related.DiscoverVulnerability by a security researcher who goes by the name of Zenofex , these security flaws have not been reported Vulnerability-related.DiscoverVulnerability to Western Digital , are still unpatched Vulnerability-related.PatchVulnerability , and with public exploit code is available for more than half of the vulnerabilities . According to Zenofex multiple WD MyCloud NAS device models are affected Vulnerability-related.DiscoverVulnerability , such as : Zenofex 's decision not to inform Vulnerability-related.DiscoverVulnerability Western Digital came after the researcher attended a security conference last year , where other infosec professionals complained about Western Digital ignoring vulnerability reports Vulnerability-related.DiscoverVulnerability . It was at the same conference , Black Hat USA 2016 , where Western Digital also won a Pwnie Award in a category called `` Lamest Vendor Response . '' `` Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out , '' Zenofex argued his decision not to wait until Western Digital patches Vulnerability-related.DiscoverVulnerability the security bugs . `` Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , '' he added . Zenofex , who 's a member of the Exploitee.rs community , says he found Vulnerability-related.DiscoverVulnerability a whopping total of 85 security issues . Based on the exploit code , many of these security flaws can be exploited Vulnerability-related.DiscoverVulnerability by altering cookie values or embedding shell commands in cookie parameters . When the image loads inside their browser , the exploit code executes against the local NAS drive and takes over the device . The most severe of these issues , according to Zenofex , is authentication bypass issue , which ironically was also the easiest to exploit , requiring only the modification of cookie session parameters . And since Murphy 's Law applies to hardware devices as well , things went wrong all the way , and the commands are n't executed under a limited user , but run under root , giving attackers full control over affected devices , allowing them to upload or download data at will .

Western Digital My Cloud NAS devices have again been found Vulnerability-related.DiscoverVulnerability wanting in the security department , as two set of researchers have revealed Vulnerability-related.DiscoverVulnerability a number of serious flaws in the devices ’ firmware . WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization ’ s office , and can be accessed either from a desktop located on the same network or remotely , with a smartphone , from wherever else in the world . Users can interact with it either via the administrative user interface or an application ( that uses a RESTful API ) . Zenofex , a member of the Exploitee.rs team , revealed Vulnerability-related.DiscoverVulnerability the existence of a login bypass issue , several command injection flaws , and a number of other bugs on Saturday . Then , on Tuesday , researchers with the SEC Consult Vulnerability Lab published a security advisory warning about : “ Due to [ no anti-CSRF mechanisms ] , an attacker can force a user to execute any action through any script . As the [ OS command injection and unauthenticated arbitrary file upload vulnerabilities ] do not need authentication , those can be exploited Vulnerability-related.DiscoverVulnerability via CSRF over the Internet as well ! ” , the researchers noted . SEC consult found Vulnerability-related.DiscoverVulnerability the flaws in version 2.11.157 of the firmware on a My Cloud EX2 device , but they believe that other My Cloud devices are almost surely vulnerable Vulnerability-related.DiscoverVulnerability as well , as the same ( or pretty much the same ) firmware is used on all of them . Zenofex did his testing on a My Cloud PR4100 device , but also noted that other My Cloud devices are vulnerable Vulnerability-related.DiscoverVulnerability to the same issues . In the wake of these latest revelations , Securify researchers again pointed to their own research and security advisories from January 2017 dealing with the same or similar vulnerabilities , found Vulnerability-related.DiscoverVulnerability on versions 2.21.119 and 2.21.126 of the firmware . All three groups say that the issues have yet to be fixed Vulnerability-related.PatchVulnerability by Western Digital . SEC Consult researchers complained about the company slow reaction to their responsable disclosure Vulnerability-related.DiscoverVulnerability efforts , while Zenofex noted that the company ’ s dismal reputation when it comes to patching Vulnerability-related.PatchVulnerability reported issues . So , he opted for public disclosure Vulnerability-related.DiscoverVulnerability , in the hopes that this will push the company to pick up the pace . “ Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out . Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , ” he noted .