A couple of months ago, Western Digital has released some initial fixes, the reports are coming that Western Digital hasn’t addressed all the vulnerabilities exist in its My Cloud storage devices. To patch the security loopholes, the company has instead planned some future updates.
The vulnerabilities were originally discovered by the security firm GulfTech last year. The glitches essentially allow remote backdoor admin access through the username “mydlinkBRionyg” and password “abc12345cba”. Moreover, the affected devices were also spotted to have a flaw that would let potential attackers gain remote access through a file upload action. In a similar manner, the scientists at GulfTech found that the My Cloud devices in question are also vulnerable to security issues such as cross-site request forgery, command injection, denial of service (DoS), and information disclosure.
After discovering the vulnerabilities exists in the affected devices, in June, last year, GulfTech intimated Western Digital that eventually resulted in the release of some firmware updates in November. However, the security firm in an advisory to its blog post reveals that some key vulnerabilities still remain.
Western Digital, on its part, recommends that My Cloud users should disable the Dashboard Cloud Access and turn off the additional port-forwarding functionalities to overcome the issue. These workarounds are importantly valid only for the issue that enables a hacker to access to the owner’s local network by exploiting the default settings or through gaining a backdoor access via Dashboard Cloud Access, which is available on devices, including My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud EX2 Ultra, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100, My Cloud PR4100, My Cloud Mirror, and My Cloud Mirror Gen 2. Nevertheless, we can expect fixes for all the issues exist in the My Cloud family through some future updates.
Meanwhile, Western Digital is continuously reminding its users to ensure the presence of up to date firmware on their devices and allow automatic updates. The users are also urged to implement “sound data protection practices” such as regular data backs and password protection to continue to get a secured experience. “Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities,” the company writes in a blog post.