Starting at
{{productPriceObj[bogoItems.productId].prices.list.amountFormatted}}
FREE
Starting at
{{productPriceObj[bogoItems.productId].prices.list.amountFormatted}}
{{productPriceObj[bogoItems.productId].prices.list.amountFormatted}}
{{productPriceObj[bogoItems.productId].prices.sale.amountFormatted}}
Qty.
{{bogoItems.qty}}
Add To Cart
No Thanks
Your Cart ({{totalItems}} {{totalItems == 1 ? 'Item' : 'Items'}})
Save 10% on select orders over $100 and 15% on orders over $250. Offer valid on any WD or SanDisk product, and on qualifying G-Technology products (listed here), or combinations of qualifying products, bought online through the Western Digital Store. Maximum of one purchase per customer. Offer is only valid while supplies last. This offer may not be combined, used in conjunction with or used in addition to any other promotion or offer. This offer does not apply to taxes or shipping costs. Retailers, Resellers and Distributors are excluded from this promotion. This offer is not applicable for any prior purchases and may not be available in all regions of the world. Western Digital reserves the right to change or discontinue this offer at any time without notice. This promotion is valid on 5/3/21 - 5/9/21.
Sandisk-Details & Exclusions
Save 10% on select orders over $100 and 15% on orders over $250. Offer valid on any WD or SanDisk product, and on qualifying G-Technology products (listed here), or combinations of qualifying products, bought online through the Western Digital Store. Maximum of one purchase per customer. Offer is only valid while supplies last. This offer may not be combined, used in conjunction with or used in addition to any other promotion or offer. This offer does not apply to taxes or shipping costs. Retailers, Resellers and Distributors are excluded from this promotion. This offer is not applicable for any prior purchases and may not be available in all regions of the world. Western Digital reserves the right to change or discontinue this offer at any time without notice. This promotion is valid on 5/3/21 - 5/9/21.
Details & Exclusions
Hassle Free Return for the Holidays
Western Digital Store is introducing an extended return policy this holiday season. Items purchased starting 22 November through 22 December 2021, can be returned until 22 January 2022, for most reasons, without exceptions. Contact Western Digital support to determine if your order qualifies, and to begin the process of a return. This policy is subject to exclusions.
Resolved the following command injection vulnerabilities:
The REST API provided by the web interface of My Cloud storage devices was vulnerable to a shell command injection. This vulnerability was addressed in the Web Admin Dashboard by sanitizing shell inputs.
Reported by: Daniel Forse
Resolved two command injection vulnerabilities from an unauthenticated attacker on LAN. This vulnerability allowed any shell command to be injected to the device without authentication from the LAN side. It was fixed by improving parameter validation.
Reported by: Steve Campbell
Resolved a post-auth command injection vulnerability that affected the WD My Cloud Versions prior to 2.30.165. It was fixed by improving parameter validation.
Reported by: James Bercegay
Resolved multiple command injection vulnerabilities throughout the web UI, and the Web Admin Dashboard.
Resolved the following cross site request forgery (CSRF) vulnerabilities:
A cross-site request forgery vulnerability was reported where an authenticated admin user could be enticed to visit a crafted website that would perform requests on their demand. Added Cross-Site Request Forgery protection.
Reported by: Remco Vermeulen
A CSRF vulnerability was reported in WD My Cloud where an attacker could use the user’s browser as a proxy to launch a CSRF attack. Implemented REST end point checks to block CSRF attacks.
Reported by: Edith Kain
Resolved multiple CSRF vulnerabilities on the WD My Cloud devices that could further lead to unauthenticated command injections as well as arbitrary file uploads.
Resolved multiple cross site request forgery vulnerabilities in the WD My Cloud web interface that could allow remote code execution and escalation of privileges.
Reported by: James Bercegay
Resolved multiple cross site request forgeries in storage and settings pages, backup pages and cloud access for My Cloud web interface. Also resolved multiple CSRF issues in the My Cloud app.
Resolved a Linux kernel vulnerability [Dirty Cow]. This allowed a local user to obtain root privileges on a target system.
Resolved Denial-of-Service vulnerability in the user language preferences settings of the web interface.
Reported by: James Bercegay
An authentication bypass was reported in the WD My Cloud device that provided a user with admin privileges without authenticating. This issue was resolved by blocking SSH shadow information from the web browser view.
Reported by: Remco Vermeulen
The OpenSSH component has been updated to version 7.5p1 to address multiple vulnerabilities.
Reported by: Jacob Ent
Resolved a buffer overflow issue that could lead to unauthenticated access through the use of return-oriented programming (ROP). Added stack canary buffer overflow protection and ensured address space layout randomization (ASLR) was implemented correctly.
Reported by: Remco Vermeulen
The My Cloud operating system was vulnerable to potential brute-force attacks on the Dashboard authentication and SSH service. This made users with weak passwords more susceptible to having their files compromised. Resolved the vulnerability by enhancing security on authentication.
The version of portable SDK for UPnP (Universal Plug and Play) was vulnerable to a number of remote code execution vulnerabilities. Resolved the issue by updating the libupnp component to version 1.6.25.
Addressed a clickjacking vulnerability in all dashboards by adding X-Frame-Options in webserver and validating SAMEORIGIN is returned.
Resolved the following security issues in the Webfile viewer on-device app:
A path traversal to restricted directories vulnerability has been addressed in the Webfile viewer (CWE-22)
Resolved an unrestricted file upload command execution vulnerability in the Webfile viewer. This fix prevents arbitrary command execution and potential compromise of user data (CWE-829)
Improved the security of volume mount options. Added secure mount option for user shares. This limits what can be done from the user shares and enhances the security of the device in terms of scripted attacks or naive attacks such as remote exploitation methods or privilege escalation (CWE-275)
Resolved EULA Bypass vulnerability in EX2, EX4, and Mirror Gen1. It was possible for the user to bypass EULA to configure the NAS device without accepting the agreement leading to an improper access control vulnerability (CWE-284)
Improved credential handling for the remote MyCloud-to-MyCloud backup feature. Removed unencrypted credentials in remote backup process preventing credential exposure. Addressed cleartext transmission of sensitive information (CWE-319)
The admin interface of the firmware was running an outdated version of jQuery. jQuery has been updated to version 3.3.1 to address a Cross-Site Scripting (XSS) vulnerability.
Resolved File-list validation vulnerability in the rsync component which is an open-source utility that provides fast incremental file transfer. It has been updated to version 3.1.3 to address the issue.
WD My Cloud devices provided IPv6 users with admin privileges without authenticating. This IPv6 authentication bypass vulnerability has been fixed to prevent authentication bypass using IPv6 redirects.
The PHP component has been updated to version 5.4.45 to address a number of potential vulnerabilities including buffer over-read, wrong hashes, use-after-free, remote command execution, null pointer dereference and directory traversal.
Resolved an authenticated remote command execution vulnerability in the My Cloud devices.
Reported by: Maor Shwartz
Added path variables checks to confirm data validity to prevent a potential attacker from calling a path they are not authorized to see. This prevents an attacker from gaining knowledge of the directory architecture.
Secured the Web Admin Dashboard by using enhanced session management cookies preventing potential attackers from cloning and compromising a user session (CWE-287)
The web file viewer had an issue with insufficient entropy that could allow an attacker to generate their own tokens to download files within a user’s own share if they had a token for the download link. The issue was resolved by enhancing token entropy to make it difficult for an attacker to “crack” the token in order to reveal the seed and formulate the hash.
Improved credential handling for upload-logs-to-support option. Removed hardcoded FTP credentials that were used when uploading logs. This prevents an attacker from uploading potentially malicious files to our FTP server.
Resolved leakage of debug messages in the web interface.
A warning has been added to the firmware when enabling the remote administrative dashboard feature. It is recommended to use the mycloud.com interface to interact with your My Cloud device remotely instead.