Western Digital NAS devices are now vulnerable to hijacking via HTTP cookies.
Hackers can now gain admin-level control in Western Digital’s My Cloud boxes via an HTTP request over the network or internet.
Cybersecurity researchers revealed that the vulnerability, named CVE-2018-17153, gives to a hacker the unauthenticated and unrestricted network access that bypass password checks and logins him with admin privileges.
This means that the hacker will have full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet it is even worse because it can be remotely pwned.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When a hacker sends a command to the device’s web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.
If properly constructed, the request would establish an admin login session to the device without ever asking for a password.
The vulnerability was reported to Western Digital back in April, but they did not fix it ever since. Now, some five months later, they are finally disclosing the bug.
This isn’t the first time Western Digital neglected cybersecurity on the My Cloud storage line. In January, the company had to come out with a fix after a researcher discovered that a number of My Cloud devices had a hard-coded password left in their firmware.
We will continue to monitor this cyber problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.