Just last week,
PetaPixel reported that an exploit was discovered through the WD community pages that caused some WD My Book Live users to have all of their data deleted. A further investigation alleges that the data wipes were not caused by just a single vulnerability, but a second critical security bug that let hackers remotely perform factory resets without the use of a password.
According to the investigation, a developer from the Western Digital team actually coded a requirement for a password before a factory reset was performed, but that requirement was later removed.
“The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices,”