Many people like being able to access their files no matter what device they're using. That's why services like Dropbox, Google Drive, iCloud and OneDrive have become all but ubiquitous. It's also why companies like Western Digital offer connected drives like the My Cloud products, but in that particular case, a security flaw means the person who owns the drive isn't the only one who can access its contents.
Securify's Remco Vermeulen and Exploitee.rs independently found and disclosed a major authentication bypass flaw in My Cloud products in 2017. Vermeulen said he disclosed the problem to Western Digital last April but never received a response from the company. Exploitee.rs also said it contacted Western Digital about the problem last year and even publicly discussed it at Def Con 25, but its warnings also fell on deaf ears.
The flaw in question allows someone to gain administrator access to a My Cloud drive without a password. Vermeulen said that person could "run commands that would normally require admin privileges and gain complete control of the My Cloud device." He proved this on a My Cloud model WDBCTL0020HWT running firmware version 2.30.172 but said other models likely bear the same flaw because they use the same code.
Vermeulen and Exploitee.rs both developed proofs of concept demonstrating the flaw in action. It doesn't appear to be particularly difficult--Vermeulen's demo was presented in a GIF--and could probably be exploited by amateurs now that the flaw has been disclosed to the public. Western Digital hasn't developed a fix yet, either, but a year-and-a-half of silence left the researchers little choice but to go public.
We couldn't find public acknowledgement of this vulnerability from Western Digital on its website, blog, or Twitter account. The company has responded directly to some Twitter users, however, and linked to an unlisted blog post (opens in new tab) it quietly published on September 19. In it, the company said that My Cloud Home devices aren't affected and that it plans to address the vulnerability with a firmware update "within a few weeks."
Western Digital also seemed keen on downplaying its slow response to Vermeulen and Exploitee.rs' disclosures.
"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities," it said in its blog post.
My Cloud device owners are encouraged to enable automatic updates to make sure their devices aren't affected by this flaw as soon as possible.