{"id":286662,"date":"2021-06-29T18:29:23","date_gmt":"2021-06-29T15:29:23","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/western-digital-removed-code-that-would-have-prevented-global-my-book-wiping-review-geek\/"},"modified":"2021-06-29T18:29:23","modified_gmt":"2021-06-29T15:29:23","slug":"western-digital-removed-code-that-would-have-prevented-global-my-book-wiping-review-geek","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/western-digital-removed-code-that-would-have-prevented-global-my-book-wiping-review-geek\/","title":{"rendered":"#Western Digital Removed Code That Would Have Prevented Global My Book Wiping \u2013 Review Geek"},"content":{"rendered":"

“#Western Digital Removed Code That Would Have Prevented Global My Book Wiping \u2013 Review Geek”<\/strong><\/p>\n

\n
\"\"
Western Digital<\/span><\/figcaption><\/figure>\n

A Western Digital developer removed code that would have prevented last week\u2019s mass wiping of My Book Live storage drives, according to a report from Ars Technica<\/em><\/a>. A hacker exploited this change in code, likely to disrupt another<\/em> hacker who had turned some My Book Live devices into a botnet.<\/p>\n

Victims of last week\u2019s global wiping event complained that the factory reset tool on their My Book Live devices should be password-protected. Evidently, that was once the case. But a developer at Western Digital edited the system_factory_restore PHP script<\/a> to block out all the authentication checks. To be clear, this developer did not delete the authentication checks, but simply added slash marks ahead of the code to prevent it from running.<\/p>\n

function get($urlPath, $queryParams=null, $ouputFormat=\"xml\"){
\/\/ if(!authenticateAsOwner($queryParams))
\/\/ {
\/\/ header(\"HTTP\/1.0 401 Unauthorized\");
\/\/ return;
\/\/ }\u00a0<\/code><\/p>\n

In a conversation with Ars Technica<\/em>, security expert and CEO of Rumble HD Moore stated that \u201cthe vendor commenting out the authentication in the system restore endpoint really doesn\u2019t make things look good for them \u2026 It\u2019s like they intentionally enabled the bypass.\u201d Even more damning is the fact that this hacker triggered factory resets with an XML request, which would require prior knowledge of the My Book Live system or outstandingly good guesswork.<\/p>\n

But that\u2019s not all. Most of the devices hit with the factory reset exploit had already fallen victim to a hacking attempt. A recent Western Digital blog post<\/a> states that hackers used CVE-2018-18472, a three-year-old exploit, to gain full administrative access<\/a> over My Book Live drives. This exploit lets hackers to run high-level commands on drives and view or modify files.<\/p>\n

Interestingly, the CVE-2018-18472 exploit was password-protected by a hacker. Western Digital says that it was used to spread .nttpd,1-ppc-be-t1-z<\/a>, a PowerPC malware that turns devices into a Linux.Ngioweb<\/a> botnet\u2014basically a rotating proxy service that can hide cybercriminals\u2019 identities or leverage DDoS attacks.<\/p>\n

Western Digital says that it doesn\u2019t know why hackers would exploit the CVE-2018-18472 and<\/em> factory reset vulnerabilities back-to-back. It certainly seems counterintuitive; why would you quietly build a botnet just to create a massive scandal and push My Book Live users to buy a new NAS device?<\/p>\n

The conclusion made by Censys<\/a> and Ars Technica<\/em><\/a> seems the most plausible\u2014a hacker ran the factory reset exploit to sabotage the growing botnet. Maybe the hackers are rivals, although this whole thing could have been a coincidence. Who knows, maybe someone in a Discord chat or forum announced that My Book Live devices haven\u2019t been updated since 2015, leading two hackers to run independent attacks within the same timeframe.<\/p>\n

If you\u2019re a My Book Live user, please disconnect your drive from the internet and never use it as a remote storage device ever again. Newer NAS devices, including those from Western Digital, have security features that are actually up to date.<\/p>\n

Source: Ars Technica<\/a><\/small>\n<\/div>\n