Last week, a good number of WD My Book Live and My Book Live Duo users around the world reported that their data were mysteriously deleted. After further investigation, we now know more about what has happened.
Initially, it was believed that attackers used a 2018 bug to gain access to the drives and remotely wiped them. However, it is now believed that some drives were remotely wiped using an incredible second exploit.
This exploit doesn’t give an attacker full control of the device but it does give them the ability to remotely wipe a drive without having to know the password.
Normally, factory resets require some sort of authentication from the user – usually in the form of a password. This is a very basic form of authentication and it is present in these devices. However, for reasons unknown, someone at WD decided to comment out (deactivate) the five lines of code designed to password-protect the factory-reset command.
This was what was uncovered. The double forward slash indicates that the line is commented out.
function post($urlPath, $queryParams = null, $ouputFormat = 'xml') {
    // if(!authenticateAsOwner($queryParams))
    // {
    //      header("HTTP/1.0 401 Unauthorized");
    //      return;
    // }
HD Moore, a security expert and CEO of network discovery platform Rumble said:
The vendor commenting out the authentication in the system restore endpoint really doesn't make things look good for them. It’s like they intentionally enabled the bypass.
In addition, there’s now a theory that suggests that all of this data deletion and remote wiping occurred as a result of a tussle between rival hacker groups. Because if you already have root access because of the 2018 bug, why would you need to factory reset these devices using the second zero-day exploit?
Derek Abdine, CTO at security firm Censys, posits that one hacker (or group of hackers) first exploited the 2018 CVE-2018-18472 bug and another rival hacker later exploited the zero-day bug in an attempt to gain control of these already compromised devices.
Abdine also took a look at the code of WD’s my popular My Cloud devices and said that these products have different codes that do not contain either of the vulnerabilities that plague the My Book Live devices.
WD has yet to comment if there’s an effective way for users to recover data from affected devices.
If you have a WD My Book Live or My Book Live Duo drive, disconnect them from the internet right now or risk losing your data.
To read about the exploits in detail, hit the link below.
 
**Update on 9 October 2021, 2030 hrs**
Which WD NAS models are affected?
WD has also listed the exact My Book Live and My Book Duo SKUs affected on this support page.
Alternative suggestions for those affected?
WD has offered registered users of the affected SKUs for My Book Live and My Book Duo trade-in offers and the procedures are listed here. Otherwise, WD recommends disconnecting them from the internet.
 
Source: Ars Technica
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.