Last Updated: October 24, 2019

Description

The My Cloud Home and ibi Portal websites have been updated to improve their security. Versions prior to this were vulnerable to a clickjacking vulnerability in which an attacker could trick a user into clicking on an unexpected webpage element on the My Cloud Home and ibi portal websites. This could potentially route the user to an attacker chosen destination used for malicious purposes. This attack can be used to reveal confidential information or could lead to the attacker gaining complete control over a user’s system.

Advisory Summary

My Cloud Home and ibi portal websites have now addressed this clickjacking vulnerability by adding the X-Frame Options HTTP Response header to the pages that require protection from clickjacking. This frame-busting method is used to restrict a web page from being loaded in a sub-frame.

Addressed multiple Clickjacking vulnerabilities for the following websites:

• https://ibi.sandisk.com/
• home.mycloud.com
• http://mycloud.com/#/
• http://status.mycloud.com/

CVE Number: CVE-2020-10951

Reported by: Tayyab Sial