Despite releasing some initial fixes a couple of months back, it has now been confirmed that Western Digital hasn’t addressed all the vulnerabilities exist in its My Cloud storage devices. The company has instead planned some future updates to patch the security loopholes spotted in as many as 12 of its devices.
Security firm GulfTech originally found the vulnerabilities last year that allow remote backdoor admin access through the username “mydlinkBRionyg” and password “abc12345cba”. The affected devices were also spotted to have a flaw that would let potential attackers gain remote access through a file upload action. Similarly, the researchers at GulfTech found that the My Cloud devices in question are also vulnerable to security issues such as cross-site request forgery, command injection, denial of service (DoS), and information disclosure.
After getting the reaching of the vulnerabilities exist in the affected devices, GulfTech in June last year intimated Western Digital that eventually resulted in the release of some firmware updates in November. However, the security firm in an advisory to its blog post reveals that some key vulnerabilities still remain.
Western Digital, on its part, recommends that My Cloud users should disable the Dashboard Cloud Access and turn off the additional port-forwarding functionalities to overcome the issue. These workarounds are importantly valid only for the issue that enables a hacker to access to the owner’s local network by exploiting the default settings or through gaining a backdoor access via Dashboard Cloud Access, which is available on devices, including My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud EX2 Ultra, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100, My Cloud PR4100, My Cloud Mirror, and My Cloud Mirror Gen 2. Nevertheless, we can expect fixes for all the issues exist in the My Cloud family through some future updates.
In the meanwhile, Western Digital is reminding its users to ensure the presence of up to date firmware on their devices and enable automatic updates. The users are also urged to implement “sound data protection practices” such as regular data backs and password protection to continue to get a secured experience. “Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities,” the company writes in a blog post.