Most WD My Cloud devices can be hacked
-
An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.
Whenever an admin authenticates, a server-side session is created that is bound to the user's IP address. After the session is created it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.
Company refused to fix such stupid hole for 15 months!
Start New Topic
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- Topics List23,965
- Blog5,723
- General and News1,343
- Hacks and Patches1,151
- ↳ Top Settings33
- ↳ Beginners254
- ↳ Archives402
- ↳ Hacks News and Development56
- Cameras2,361
- ↳ Panasonic990
- ↳ Canon118
- ↳ Sony154
- ↳ Nikon96
- ↳ Pentax and Samsung70
- ↳ Olympus and Fujifilm99
- ↳ Compacts and Camcorders299
- ↳ Smartphones for video97
- ↳ Pro Video Cameras191
- ↳ BlackMagic and other raw cameras121
- Skill1,961
- ↳ Business and distribution66
- ↳ Preparation, scripts and legal38
- ↳ Art149
- ↳ Import, Convert, Exporting291
- ↳ Editors191
- ↳ Effects and stunts115
- ↳ Color grading197
- ↳ Sound and Music280
- ↳ Lighting96
- ↳ Software and storage tips267
- Gear5,414
- ↳ Filters, Adapters, Matte boxes344
- ↳ Lenses1,579
- ↳ Follow focus and gears93
- ↳ Sound498
- ↳ Lighting gear314
- ↳ Camera movement230
- ↳ Gimbals and copters302
- ↳ Rigs and related stuff272
- ↳ Power solutions83
- ↳ Monitors and viewfinders339
- ↳ Tripods and fluid heads139
- ↳ Storage286
- ↳ Computers and studio gear560
- ↳ VR and 3D248
- Showcase1,859
- Marketplace2,834
- Offtopic1,319
