Skip to main content
  1. Home
  2. Computing
  3. News

WD My Cloud web interface could give hackers the key to your files

By

WD PR4100 NAS review
Anthony Thurston/Digital Trends
Western Digital’s My Cloud network-attached storage (NAS) drives feature several unpatched security problems which could leave users vulnerable to attack by nefarious individuals. WD has been made aware of the flaws in the system, and the team that discovered the bugs has now made them available to the public in the hope that it encourages a quicker turnaround on a fix.

Traditionally, the playbook for revealing security issues with hardware or software is to let the manufacturer know first. That way, the company has some time to fix up the problem without it negatively affecting its business. More importantly, it means that hackers who weren’t aware of the bug don’t exploit it while it’s being fixed.

Recommended Videos

In this case, Exploitee.rs (via Engadget) who who discovered the bugs, made them public straight away due to what was described as WD’s “reputation within the community.” More specifically, Western Digital earned the Pwnie award at BlackHat Las Vegas 2016 for “Lamest Vendor Response” to bugs revealed to it in the past. By alerting the community, Exploitee hopes that users can avoid this particular drive range until WD goes ahead and fixes it.

Please enable Javascript to view this content

There are actually a few bugs that were found as part of this latest investigation. Although they were specifically discovered on the My Cloud PR4100, they are expected to impact the entire My Cloud range. They are mostly to do with poorly written login scripts which could allow a hacker to bypass the certification system entirely, but others allow unauthorised file uploads, missing login requirements, and poorly implemented web interface commands.

Western Digital MyCloud Multiple Remote Root Exploits

While WD has yet to issue a response to these claims, My Cloud owners would be wise to keep their NAS drive offline for the time being and restrict it to your local network until several security fixes are released.

Editors’ Recommendations

Topics
Jon Martindale
Jon Martindale
Evergreen writer
Jon Martindale is a freelance evergreen writer and occasional section coordinator, covering how to guides, best-of lists, and…
Here’s why some PC gamers shouldn’t install the latest Windows 11 update
Overwatch 2 running on the LG OLED 27 gaming monitor.

The latest Windows 11 update, codenamed 24H2, has been a troubled rollout for Microsoft, but one thing's been clear from the beginning: PC gamers should wait to install it. Let's add another issue to the list, shall we?

As spotted by Windows Latest, Microsoft has confirmed in an update to its Windows 11 24H2 problems page, that Windows 11 24H2 is causing issues with its Auto HDR feature. The result of the bug is that incorrect colors are being displayed or, even worse, are breaking games entirely and causing them to not be responsive.

Read more
Someone just got the Intel B570 GPU a month in advance — and it works
ASRock's Arc B570 Challenger GPU.

Although Intel's Arc B580 is already here, the B570 is only set to launch on January 16. However, a German retailer listed the card well ahead of time and, surprisingly, one B570 actually shipped to a customer. The B580 is one of the best graphics cards for budget-conscious gamers, but how will the B570 compare?

Early listings and preorders happen shockingly often. For example, yesterday we found an RTX 5090 PC priced at well over $6,000. However, those listings often don't amount to much, and the items don't ship until their designated release dates -- but not this time.

Read more
We might get a new Steam Deck next month — and Valve isn’t making it
The Steam Deck OLED on a pink background.

I expected to see some new handheld gaming PCs this year at CES, but it looks like something even more exciting is in store. AMD and Lenovo are hosting an event during the week of the show, and it'll have two special guests in attendance: Valve's Pierre-Loup Griffais and Microsoft's Jason Ronald.

I'll be attending the event on January 7, about which Sean Hollister over at The Verge initially shared out the details. There are a couple of reasons why this event could be significant. First, Valve. Since the launch of the Asus ROG Ally, there have been a handful of these types of events featuring spokespeople from AMD, Microsoft, and the company making a handheld -- Lenovo or Asus. Valve hasn't ever been in attendance, and considering Valve makes the Linux-based Steam Deck, it would be odd for the company to have a presence.

Read more