CORS Misconfiguration on Western Digital Store

WDC Tracking Number: WDC-19011
Product Line/Web:
Published: August 17, 2019

Last Updated: August 17, 2019


A misconfiguration of the Western Digital Store improperly allowed access to store resources (including account configuration) from outside domains.

Product/Web site
Last Updated
One Store Website - Account section
August 17, 2019

Advisory Summary

The Access-Control-Allow-Origin header was misconfigured and improperly allowed access to Western Digital Store resources from outside domains. This could have been exploited by an attacker to view or change a logged-in user’s name or email address by having a user visit a separate, malicious web site. The access origin rules have been updated to prevent this attack.

Reported by Tushar Anand