Some 17 Netgear routers have a remote authentication bypass, meaning malware or miscreants on your network, or able to reach the device’s web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo.

That’s pretty bad news for any vulnerable gateways with remote configuration access enabled, as anyone on the internet can exploit the cockup to take over the router, change its DNS settings, redirect browsers to malicious sites, and so on.

Another 17 Netgear routers – with some crossover with the above issue – have a similar bug, in that the genie_restoring.cgi script, provided by the box’s built-in web server, can be abused to extract files and passwords from its filesystem in flash storage – it can even be used to pull files from USB sticks plugged into the router.

Other models have less severe problems that still need patching just in case. For example, after pressing the Wi-Fi Protected Setup button, six of Netgear’s routers open up a two-minute window during which an attacker can potentially execute arbitrary code on the router as root over the air.

Source: Wish you could log into someone’s Netgear box without a password? Summon a &genie=1 • The Register

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off.

Source: [1802.01468] PinMe: Tracking a Smartphone User around the World

“The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”That’s easily spotted, so Delsalle wrote that the attack described by Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process.”

Source: Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls • The Register

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Source: Lenovo Fingerprint Manager Pro for Windows 7, 8, and 8.1 only (not 10) Insecure Credential Storage

Strava which markets itself as a “social-networking app for athletes” publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit.

Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.

With a total of one billion activities logged on the Strava’s activity map, it is a whole lot of useful data from all over the world.

Although Strava’s publicly available activity map was live as of November 2017, Ruser recently noticed that the map includes the fitness routes of army soldiers and agents in secret base locations, including U.S. military bases in Afghanistan and Syria, a suspected CIA base in Somalia and even Area 51.

Source: Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

The Cozy Bear hackers are in a space in a university building near the Red Square. The group’s composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not only can the intelligence service now see what the Russians are doing, they can also see who’s doing it. Pictures are taken of every visitor. In Zoetermeer, these pictures are analyzed and compared to known Russian spies.

The Dutch access to the Russian hackers’ network soon pays off. In November, the Russians prepare for an attack on one of their prime targets: the American State Department. By now, they’ve obtained e-mail addresses and the login credentials of several civil servants. They manage to enter the non-classified part of the computer network.

The AIVD and her military counterpart MIVD inform the NSA-liaison at the American embassy in The Hague. He immediately alerts the different American intelligence services.

What follows is a rare battle between the attackers, who are attempting to further infiltrate the State Department, and its defenders, FBI and NSA teams – with clues and intelligence provided by the Dutch. This battle lasts 24 hours, according to American media.

The Russians are extremely aggressive but do not know they’re being spied on. Thanks to the Dutch spies, the NSA and FBI are able to counter the enemy with enormous speed. The Dutch intel is so crucial that the NSA opens a direct line with Zoetermeer, to get the information to the United States as soon as possible.
[…]
President elect Donald Trump categorically refuses to explicitly acknowledge the Russian interference. It would tarnish the gleam of his electoral victory. He has also frequently praised Russia, and president Putin in particular. This is one of the reasons the American intelligence services eagerly leak information: to prove that the Russians did in fact interfere with the elections. And that is why intelligence services have told American media about the amazing access of a ‘western ally’.

This has led to anger in Zoetermeer and The Hague. Some Dutchmen even feel betrayed. It’s absolutely not done to reveal the methods of a friendly intelligence service, especially if you’re benefiting from their intelligence. But no matter how vehemently the heads of the AIVD and MIVD express their displeasure, they don’t feel understood by the Americans. It’s made the AIVD and MIVD a lot more cautious when it comes to sharing intelligence. They’ve become increasingly suspicious since Trump was elected president.

The AIVD hackers are no longer in Cozy Bear’s computer network. The Dutch espionage lasted between 1 and 2,5 years. Hacker groups frequently change their methods and even a different firewall can cut off access.

Source: Dutch agencies provide crucial intel about Russia’s interference in US-elections – Tech – Voor nieuws, achtergronden en columns

To do so, the Qatari researchers first collected dozens of bitcoin addresses used for donations and dealmaking by websites protected by the anonymity software Tor, run by everyone from WikiLeaks to the now-defunct Silk Road. Then they scraped thousands of more widely visible bitcoin addresses from the public accounts of users on Twitter and the popular bitcoin forum Bitcoin Talk.

By merely searching for direct links between those two sets of addresses in the blockchain, they found more than 125 transactions made to those dark web sites’ accounts—very likely with the intention of preserving the senders’ anonymity—that they could easily link to public accounts. Among those, 46 were donations to WikiLeaks. More disturbingly, 22 were payments to the Silk Road. Though they don’t reveal many personal details of those 22 individuals, the researchers say that some had publicly revealed their locations, ages, genders, email addresses, or even full names. (One user who fully identified himself was only a teenager at the time of the transactions.) And the 18 people whose Silk Road transactions were linked to Bitcoin Talk may be particularly vulnerable, since that forum has previously responded to subpoeanas demanding that it unmask a user’s registration details or private messages. “You have irrefutable evidence mapping this profile to this hidden service,” says Yazan Boshmaf, another of the study’s authors.

Source: Your Sloppy Bitcoin Drug Deals Will Haunt You for Years

Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes.

The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to access profile pictures. By observing traffic on a public Wi-Fi network (or some other snooping position on a network), a miscreant could see what profiles are being viewed and match them with the victim’s device. If a scumbag has compromised the network when the victim turns on the Tinder app, the victim’s profile information could also be intercepted and viewed.

The second flaw, CVE-2018-6018, is what allows the attacker to see specific actions like swipes and likes. Though the Tinder API uses HTTPS connections for traffic it handles, the specific actions each move their encrypted packets with a set length.

By checking packets for specific byte sizes (278 bytes for a left swipe to reject, 374 bytes for a right swipe to approve, and 581 bytes for a like), the attacker could combine the actions with the unsecured HTTP profile and photo traffic to work out who is swiping who.

The recommendation for users is simple enough: avoid public Wi-Fi networks wherever possible. Developers, meanwhile, should take steps to make sure all app traffic is secured.

Source: Swipe fright: Tinder hackers may know how desperate you really are • The Register

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible.
[…]
Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) that could also allow restricted memory to be read.
[…]
Two other kernel flaws, CVE-2018-4097 and CVE-2018-4082, allow an app to run code as the kernel, thus hijacking the whole machine. The first is “a logic issue [..] addressed with improved validation,” discovered by Resecurity Inc, and the second “a memory corruption issue […] addressed through improved input validation” found and reported by Russ Cox of Google.

Other noteworthy bugs include CVE-2018-4094, a bug in both Sierra and High Sierra discovered by five researchers at Yonsei University in Seoul, South Korea. The memory corruption bug allows remote code execution attacks simply by processing a maliciously crafted audio file.

The WebKit browser engine received three fixes for remote code execution flaws (CVE-2018-4088, CVE-2018-4089,CVE-2018-4096) that are also patched in Safari with version 11.0.3.

The QuartzCore component contained a remote code execution flaw (CVE-2018-4085) that can be exploited via web content, while Wi-Fi had a restricted memory access flaw (CVE-2018-4084), and a bug in the operating system’s process sandbox (CVE-2018-4091) could allow programs to get around access restrictions.
Meanwhile, on mobile…

For iOS devices, Apple has served up the 11.2.5 update. It includes a fix for the CVE-2018-4094 audio-file remote-code execution flaw as well as the three kernel memory leak bugs (CVE-2018-4090, CVE-2018-4092, CVE-2018-4093), and the QuartzCore, and WebKit flaws included in the macOS update.

Researcher Abraham “cheesecakeufo” Masri gets credit for CVE-2018-4100, a patched flaw in iOS that allows text messages to crash the iPhone, while Zimperium zLabs’ Rani Idan was credited for CVE-2018-4095 and CVE-2018-4087, a pair of arbitrary code execution flaws in Core Bluetooth.

Masri’s text-message bug, CVE-2018-4100, is also fixed in macOS’s LinkPresentation code to prevent weird text in webpages and messages from stalling desktop apps.

Many of the same iOS flaws are addressed for the Apple Watch in watchOS 4.2.2, and in the AppleTV with tvOS 11.2.5.

Source: It’s 2018 and your Macs, iPhones can be pwned by playing evil music • The Register

Bizzarely these are only now being patched?

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here’s what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron’s developers said.

Source: Skype, Signal, Slack, other apps inherit Electron vuln

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

Source: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

“This is definitely one group using the same infrastructure,” Eva Galperin, the EFF’s director of cybersecurity, told The Register on Wednesday. “We think there’s a third party selling this to governments.”

Dark Caracal has, we’re told, been used to siphon off information from thousands of targets in over 21 countries – from private documents, call records, audio recordings, and text messages to contact information, and photos from military, government, and business targets, as well as activists and journalists.
[…]
The primary way to pick up Pallas on your gadget is by installing infected applications – such as WhatsApp and Signal ripoffs – from non-official software souks. Pallas doesn’t exploit zero-days to take over a device, but instead relies on users being tricked into installing booby-trapped apps, and granting the malicious software a large variety of permissions. Once in place, it can thus surreptitiously record audio from the phone’s microphone, reveal the gizmo’s location to snoops, and leak all the data the handset contains to its masters.

In addition, the Dark Caracal platform offers another surveillance tool: a previously unseen sample of FinFisher, the spyware package sold to governments to surveil citizens. It’s not known if this was legitimately purchased, or a demo version that was adapted.

On the desktop side, Dark Caracal provides a Delphi-coded Bandook trojan, previously identified in Operation Manul, that commandeers Windows systems. Essentially, marks are tricked into installing and running infected programs signed with a legitimate security certificate. Once up and running, the software nasty downloads more malware from command-and-control servers. The code pest can also be stashed in Microsoft Word documents, and executed using macros – so beware, Office admins.

Source: Someone is touting a mobile, PC spyware platform called Dark Caracal to governments • The Register

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel.

The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at least 2004 – when ENOS was still under the hand of Nortel.

Lenovo’s advisory says the issue “was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions”.

There are three vulnerable scenarios, the advisory said:

Authentication via the Telnet or serial consoles, if used for local authentication, “or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances”;
The Web management interface is vulnerable when the user is authenticating via “a combination of RADIUS or TACACS+ and local authentication”, and then only in “an unlikely condition”; and
“SSH for certain firmware released in May 2004 through June 2004”, again with a combination of RADIUS or TACACS+.

The “unlikely conditions” Lenovo referred to depend on which interface is potentially being attacked.

For SSH access, the management interface is only vulnerable if the system is running firmware created between May and June 2004; RADIUS and/or TACACS+ is enable; the related “backdoor / secure backdoor” local authentication fallback is enabled (in this case, “backdoor” refers to a RADIUS configuration setting); and finally, a RADIUS or TACACS+ timeout occurs.

Source: Lenovo inherited a switch authentication bypass – from Nortel • The Register

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

Source: F-Secure Press Room | Global

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers.

TLS-SNI is one of three ways Let’s Encrypt’s Automatic Certificate Management Environment (ACME) protocol validates requests for TLS certificates, which enable secure connections when browsing the web, along with the confidence-inspiring display of a lock icon. The other two validation methods, HTTP-01 and DNS-01, are not implicated in this issue.

The problem is that TLS-SNI-01 and its planned successor TLS-SNI-02 can be abused under specific circumstances to allow an attacker to obtain HTTPS certificates for websites that he or she does not own.

Such a person could, for example, find an orphaned domain name pointed at a hosting service, and use the domain – with an unauthorized certificate to make fake pages appear more credible – without actually owning the domain.

Source: Let’s Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers’ domains • The Register

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger.

Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

Source: Adult Themed Virtual Reality App spills Names, Emails of Thousands | The Security Ledger

Spare a thought for Jasper Spaans, who hosts the Linux Kernel Mailing List archive from a single PC that lives in his home. And since things always happen this way the home machine died while he was on holiday.

The archive was therefore unavailable for much of the weekend, although Linux developers could still use mirrors like Indiana University’s effort.

Spaans quickly learned of the outage and he said it was a simple issue, that a brief power outage left the server waiting for a luks – Linux Unified Key Setup – password.

The sad part is that that machine has an initrd with remote ssh access for passing the passphrase (because of a sucky java-based kvm), but I can’t reach the bugger from the outside. A vps + cryptops might be a thing for when this hardware dies though.
— jasper spaans (@spaans) January 10, 2018

But once he got home, it became apparent the problem was rather more serious.

Bad news for the fans of https://t.co/MTS96wBH6B : the main board of the server somehow did not survive the outage 🙁
Expect prolonged downtime while I source replacement parts. (Any recommendations for mini-itx server boards? Currently looking at https://t.co/IHGz1wyxeS )
— jasper spaans (@spaans) January 13, 2018

The hardware Spaans needed appears to have arrived: in the 30 minutes The Reg worked on this story, lkml.org came back to full life.

Source: Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC? • The Register

While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server’s file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

The first of the vulnerabilities, designated in MITRE’s Common Vulnerabilities and Exposures (CVE) list as CVE-2017-15548, allows an attacker to gain root access to the servers. This would potentially give someone direct access to backups on the server, allowing them to retrieve images of virtual machines, backed-up databases, and other data stored within the affected systems.

The second vulnerability, CVE-2017-15549, makes it possible for an attacker to potentially upload malicious files into “any location on the server file system” without authentication. And the third, CVE-2017-15550, is a privilege escalation bug that could allow someone with low-level authenticated access to access files within the server. The attacker could do this by using a Web request crafted to take advantage of “path traversal”—moving up and down within the directory structure of the file system used by the application

Source: EMC, VMware security bugs throw gasoline on cloud security fire | Ars Technica

Wi-Fi router vendors have started issuing patches to defend their products against Google Chromecast devices.TP-Link and Linksys were first out of the blocks with firmware fixes, and TP-Link has posted this explanation of the issue.

The bug is not in the routers, but in Google’s “Cast” feature, used in Chromecast, Google Home, and other devices. Cast sends multicast DNS (MDNS) packets as a keep-alive for connections to products like Google Home, and it seems someone forgot to configure the feature to go quiet when Chromecast devices are sleeping.

That, at least, is how Vulture South reads the issue that TP-Link’s engineer described:“These packets normally sent in a 20-second interval. However, we have discovered that the devices will sometimes broadcast a large amount of these packets at a very high speed in a short amount of time. This occurs when the device is awakened from the ‘sleep mode’, and could exceed more than 100,000 packets in a short amount of time.”It continues: “The longer your device is in ‘sleep’, the larger this packet burst will be.”

If left alone long enough, TP-Link warned, the burst will fill up the router’s memory and leave a reboot the only option to restore connectivity.

Source: Okay, Google: why does Chromecast clobber Wi-Fi connections? • The Register

Only admins can add new members to private groups. But the researchers found that anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access to WhatsApp servers or a government successfully pressuring WhatsApp to give it access to targeted group chats.

Perhaps even more troubling, a compromised admin with control of the server could manipulate the messages that would alert group members that someone new had been added, according to the researchers. However, WhatsApp denies this is an issue.

Wired confirmed the researchers’ findings with a WhatsApp spokesperson. While the company, which is owned by Facebook, acknowledges the issue of server security, the spokesperson pushed back on the idea that attackers could block, cache, or otherwise prevent the alert that new members have been added.

Source: WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats [Updated]

An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system’s password protections.This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug, reported by developer Eric Holtam to the Open Radar bug tracker, has since been verified by Mac-toting netizens.The bug allows a user logged in with admin rights (this is important to note) to get around the password requirement when making changes in the App Store settings panel. Open the App Store settings panel, click on the padlock to make changes, a password prompt pops up, type in any string of text, and the “password” is accepted, unlocking the preferences panel.Aaron Lint, veep of research at infosec biz Arxan, claimed the trick can also be used to bypass the login requirements for some other settings panels as well, but not the important “Users and Groups” and “Security and Privacy” controls.

Source: Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted • The Register

Yahoo! Mail – yes, amazingly it is still a thing – is today taking a break from business as usual norms with the service down for almost the past seven hours.Since circa 9am, the email service has received hundreds of complaints an hour on downdetector.co.uk, with users moaning about persistant “error 15” messages, and others telling of short periods of functionality before being kicked out of their accounts.Yahoo’s customer care Twitter account belatedly acknowledged the outage after 2pm, saying it had “received reports that users are seeing temporary access errors when accessing #YahooMail”, and that it was “working to fix this as quickly as possible.”More than a full hour later, the social media ninjas at Yahoo updated the customer base to say it still didn’t know when it would be able to make things better.

Source: Yahooooo! says! its! email! is! scrahoooo-ed! • The Register

The joys of the cloud…

Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them — your files could be at risk. It isn’t even hard to take advantage of it — the username is “mydlinkBRionyg” and the password is “abc12345cba” (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017. Let’s be realistic — not everyone stays on top of updates, and a backdoor never should have existed in the first place.

Source: Western Digital ‘My Cloud’ devices have a hardcoded backdoor — stop using these NAS drives NOW!