Despite releasing some initial fixes a couple of months back, it has now been confirmed that Western Digital[1] hasn't addressed all the vulnerabilities exist[2] in its My Cloud[3] storage devices. The company has instead planned some future updates to patch the security loopholes spotted in as many as 12 of its devices.
Security firm GulfTech originally found the vulnerabilities last year that allow remote backdoor admin access through the username "mydlinkBRionyg" and password "abc12345cba". The affected devices were also spotted to have a flaw that would let potential attackers gain remote access through a file upload action. Similarly, the researchers at GulfTech found[4] that the My Cloud devices in question are also vulnerable to security issues such as cross-site request forgery, command injection, denial of service (DoS), and information disclosure.
After getting the reaching of the vulnerabilities exist in the affected devices, GulfTech in June last year intimated Western Digital that eventually resulted in the release of some firmware updates in November. However, the security firm in an advisory to its blog post reveals that some key vulnerabilities still remain.
Western Digital, on its part, recommends that My Cloud users should disable the Dashboard Cloud Access and turn off the additional port-forwarding functionalities to overcome the issue. These workarounds are importantly valid only for the issue that enables a hacker to access to the owner's local network by exploiting the default settings or through gaining a backdoor access via Dashboard Cloud Access, which is available on devices, including My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud EX2 Ultra, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100, My Cloud PR4100, My Cloud Mirror, and My Cloud Mirror...