This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I opened a case with Netgear in June regarding a security flaw I found in ReadyCloud. I've been told that the hole would be fixed with Firmware 6.5.2, but it's still there. Now, my case is closed, and I can't open a new one, since my free 3 months support period is over. My case # was 26923439.
From my experiments, it looks like this flaw allows anybody to download any file on a ReadyCloud-enabled NAS anonymously... Pretty scary, and sad to have the impression Netgear didn't take this case seriously..
Basically, If I download a file from my NAS through ReadyCloud web portal over Internet, a URL like this is used by the browser to get the file: https://rc-z2-r2.io.netgear.com/directio/[A GUID here]/download.do/[Path to file on my NAS]. I was able to use directly this URL from another browser tab, even after logging off from ReadyCloud portal. I was even able to use the URL on another device. But here is the scariest: using the same URL, it looks like I could download any file on my NAS, as long as I know the exact file name, without providing any credentials.
This security issue was patched in the firmware 6.5.0 - device will not allow the user to download arbitrary file on the file system. The download access is limited to the users within their access permissions scope: invited users to their home folder and the shares they are shared with, owner - all shares and home folders
There is a server patch which is ready and going to be deployed early in October - with that improvement server will no longer allow reusing the download links that were once used
This security issue was patched in the firmware 6.5.0 - device will not allow the user to download arbitrary file on the file system. The download access is limited to the users within their access permissions scope: invited users to their home folder and the shares they are shared with, owner - all shares and home folders
There is a server patch which is ready and going to be deployed early in October - with that improvement server will no longer allow reusing the download links that were once used
