Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Data Storage Security Bug Software

Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data (techcrunch.com) 44

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

This discussion has been archived. No new comments can be posted.

Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data

Comments Filter:
  • You mean cheap software written in PHP is insecure?
  • So it seems like it's up to Axentra to fix their poorly coded Piece Of Shit? But do they really even care?

    This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.

    • by hduff ( 570443 )

      Mr. Eric Lefebvre is the Co-Founder of Axentra,
      283 Dalhousie Street
      Suite 300
      Ottawa, ON K1N 7E5
      Canada
      Phone: 613-627-1250
      Perhaps he would like to respond to this disclosure of such poor security practices?

    • and then maybe it will stop.

      Naaaaa -- don't you know, it's like the CLOUD baby, where everything goes and you push responsibility as far as you can and then right out the window. There's NO problems at all that an online contract or ROM update won't fix. And of course with surface mount chips, unfixable hardware, and no one ever reading the legals, they'll have to buy your *next* product with it's OWN new problems.

      Planned Obsolescence? That's so 1990s. Now they need to pay you for your new product while the old one's still worki

    • This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.Didn't you read the fucking software agreement before using it? The bit that disclaimed it's fitness for any particular purpose, and limited all liability to the sale value of the software. At least, that's how I read typical EULAs.
  • Somebody felt the need to explain the notion of the root user? On /.?

    Goodness.

    • The part explaining root was just a quote from the original article.

    • Well, the better users have the issue of LJ that describes how to remove root from Linux. That, together with cgroups, means some are forgetting about such archaic notions.

  • Why would anybody ever have a hard coded admin account?!? That is unbelievable. That is why Linux sucks so bad it has hard coded backdoor accounts! I'm so glad I use BeOS, I don't have to worry about hackers!

  • From the "Wizcase" article:

    Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.

    But CVE-2018-18471 and CVE-2018-18472 are not listed at mitre.org or the NIST database:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18471 [mitre.org]
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18472 [mitre.org]

Avoid strange women and temporary variables.

Working...