A vulnerability has been identified in Western Digital’s MyCloud devices which allows unauthenticated local users full access to the device’s contents.
The vulnerability lies in the UPnP (Universal Plug ‘n’ Play) server which is enabled by default on all MyCloud devices. Using HTTP requests, an attacker can bypass any permissions, authentication or restrictions set by administrators.
Trustwave say Western Digital declined to fix this insecure default setting. Instead they recommend that users turn off DLNA if they do not wish to utilise the product feature.
In the advisory the Trustwave SpiderLabs researcher, Martin Rakhmanov, also provides a tool to test devices which can be found here.
- Various WD My Cloud Devices
- MyCloud shared folders that contain sensitive data are password protected and encrypted.
- Media Serving is disabled for shared folders containing sensitive data or disable Twonky DLNA Media Server for the entire MyCloud.