Do you own a WD My Cloud device (NAS)? Well, congrats, you have a backdoor pre-installed!

Elixer · Jan 5, 2018

They have a hard coded backdoor of user:abc12345cba pw: mydlinkBRionyg, and no, you can't change it.
As an extra bonus, you can do this remotely!

Over 6 months since they were notified, and they haven't fixed it.

http://www.gulftech.org/advisories/WDMyCloud Multiple Vulnerabilities/125

VirtualLarry · Jan 6, 2018

Oye Vey...

whm1974 · Jan 6, 2018

So it is looking like your are better off building your own NAS.

Malogeek · Jan 6, 2018

lol that's a terrible backdoor. Who the hell would code a backdoor login with the password in cleartext within the open code?

Red Squirrel · Jan 6, 2018

Yikes.

When they say remote, they mean it still requires you to forward the port at the firewall right? Or does this thing actually connect out to some kind of cloud server and become publicly accessible?

Either way, stuff like this is why I prefer to build my own NAS vs use premade ones. It seems there's backdoors in everything now.

Shmee · Jan 6, 2018

Yikes is right. That is really something stupid.

XavierMace · Jan 6, 2018

Red Squirrel said:
Yikes.

When they say remote, they mean it still requires you to forward the port at the firewall right? Or does this thing actually connect out to some kind of cloud server and become publicly accessible?

Either way, stuff like this is why I prefer to build my own NAS vs use premade ones. It seems there's backdoors in everything now.

Not necessarily. It's exploiting the web server built into the NAS. You could theoretically compromise it by visiting a malicious site from any system on the same network.

Elixer · Jan 6, 2018

I would have thought this would have been caught in a security audit... unless of course WD doesn't have a security audit program. 🙁

XavierMace · Jan 6, 2018

Elixer said:
I would have thought this would have been caught in a security audit... unless of course WD doesn't have a security audit program. 🙁

Having a security audit doesn't mean you have to do anything about it. Or even if you "have to" (meaning pressure from some other source to fix it), that often gets dragged out as long as possible.

mxnerd · Jan 6, 2018

WOW! World's largest hard disk manufacturer has worst backdoor technology.

Would never buy any NAS product from WD or Seagate.

Do you own a WD My Cloud device (NAS)? Well, congrats, you have a backdoor pre-installed!

Elixer

Lifer

VirtualLarry

No Lifer

whm1974

Diamond Member

Malogeek

Golden Member

Red Squirrel

No Lifer

Shmee

Memory & Storage, Graphics Cards Mod Elite Member

XavierMace

Diamond Member

Elixer

Lifer

XavierMace

Diamond Member

mxnerd

Diamond Member

TRENDING THREADS