Skip to content


Links for 2021-06-29

  • Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

    All looking pretty shite for Western Digital — one of their engineers *removed* the need for authentication on the factory-reset PHP script for the My Book Live devices:

    A Western Digital developer created five lines of code to password-protect the reset command. For unknown reasons, the authentication check was [….] commented out as indicated by the double / character at the beginning of each line. […] The discovery raises a vexing question: if the hackers had already obtained full root access by exploiting CVE-2018-18472 [a separate bug], what need did they have for this second security flaw? There’s no clear answer, but based on the evidence available, Abdine has come up with a plausible theory — that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the other vulnerability in an attempt to wrest control of those already compromised devices.

    (tags: hacks exploits fail western-digital iot hardware php)