Researchers with Vertical Structure and WhiteHat Security have discovered a critical flaw in Lenovo network-attached storage (NAS) devices that has left at least 3 million files on 5,114 storage devices exposed on the Internet.
Simon Whittaker of Vertical Structure warns that “the API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner,” adding that the current issue “is similar to thousands of open [AWS] S3 [storage] buckets being discovered.” Lenovo has issued an alert over the high severity flaw, acknowledging that it can allow threat actors to access files stored on NAS shares via the unprotected API. NAS users can solve the issue by updating the firmware of their device.
Read more: Lenovo NAS Firmware Flaw Exposes Stored Data