Password bypass flaw in Western Digital My Cloud drives puts data at risk
A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.
Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.
The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.
The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter.
Details of the bug were also independently found by another security team, which released its own exploit code.
Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.
After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.
A year later, WD still hasn’t released a patch.
The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”
WD said that several of its My Cloud products are vulnerable — including the EX2, EX4 and Mirror, but not My Cloud Home.
In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.
Dixons Carphone says millions more customers affected by 2017 breach
A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked.
The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although it only disclosed the breach in June, after discovering it during a review of its security systems.
Last month it said 5.9M payment cards and 1.2M customer records had been accessed. But with its investigation into the breach “nearing completion”, it now says approximately 10M records containing personal data (but no financial information) may have been accessed last year — in addition to the 5.9M compromised payment cards it disclosed last month.
“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” the company said in a statement.
In terms of what personal data the 10M records contained, a Dixons Carphone spokeswoman told us: “This continues to relate to personal data, and the types of data that may have been accessed are, for example, name, address or email address.”
The company says it’s taking the precaution of contacting all its customers — to apologize and advise them of “protective steps to minimize the risk of fraud”.
It adds it has no evidence that the unauthorized access is continuing, having taken steps to secure its systems when the breach was discovered last month, saying: “We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”
Commenting in a statement, Dixons Carphone CEO, Alex Baldock, added: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
Back in 2015, Carphone Warehouse, a mobile division of Dixons Carphone, also suffered a hack which affected around 3M people. And in January the company was fined £400k by the ICO as a consequence of that earlier breach.
Since then new European Union regulations (GDPR) have come into force which greatly raise the maximum penalties which regulators can impose for serious data breaches.
Last month, following Dixon’s disclosure of the latest breach, the UK’s data watchdog, the ICO, told us it was liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.
Of the 5.9M payment cards which Dixons disclosed last month as having been compromised, it said the vast majority had been protected by chip and PIN technology. But around 105,000 lacked the security tech so Dixons said at the time could therefore have been compromised.
It’s the additional 1.2M records containing non-financial personal data — such as name, address or email address — that have been revised upwards now, to ~10M records, which constitutes almost half the Group’s customer base in the UK and Ireland.
The spokeswoman told us the Group has approximately 22M customers in the region.