Western Digital My Cloud OS 5, My Cloud Home, SanDisk ibi and WD Cloud Mobile and Web App Update


WDC Tracking Number: WDC-23004
Product Line: My Cloud, My Cloud Home, My Cloud Home Duo, SanDisk ibi, and WD Cloud
Published: March 5, 2023

Last Updated: March 24, 2023

Description

Western Digital My Cloud, My Cloud Home, SanDisk ibi and WD Cloud mobile and web apps have been updated to help improve the security of your devices and data.

Product Impact
Minimum Fix Version
Last Updated
ibi App - Android
4.21.0 or later
March 01, 2023
ibi App - iOS
4.21.0 or later
March 01, 2023
My Cloud Home App - Android
4.21.0 or later
March 01, 2023
My Cloud Home App - iOS
4.21.0 or later
March 01, 2023
My Cloud OS 5 App - Android
4.21.0 or later
March 01, 2023
My Cloud OS 5 App - iOS
4.21.0 or later
March 01, 2023
WD Cloud App - Android
4.21.0 or later
March 01, 2023
WD Cloud App - iOS
4.21.0 or later
March 01, 2023
ibi Web App
4.26.0-6126
March 08, 2023
My Cloud Home Web App
4.26.0-6126
March 08, 2023
My Cloud Web App
4.26.0-6126
March 08, 2023
WD Cloud Web App
4.26.0-6126
March 08, 2023

Users of the mobile apps should promptly update the apps to reflect the latest changes. The web apps have automatically been updated.

Advisory Summary

Addressed a security concern where a device API endpoint was missing access controls. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This was addressed by enforcing token-based authentication on the corresponding endpoint to avoid unauthorized information disclosures.

CVE Number: CVE-2023-22813