SaaS web services for Seagate GoFlex home storage devices are compromised by XSS and MitM attacks

According to securityaffairs, on January 23 that security experts found that more than 33,000 Seagate GoFlex home network storage (NAS) devices were easily exposed to the public network or caused cross-site scripting (XSS) and man-in-the-middle (MitM) attacks. Although Seagate has now patched XSS vulnerabilities in Personal Cloud and GoFlex products, unfortunately, there are still some issues that remain unresolved.

According to security expert Sood, the GoFlex home NAS appliance runs an accessible web service on seagateshare.com that allows users to remotely manage the appliance and its contents, as well as access storage by device name and login credentials. GoFlex firmware, on the other hand, runs an HTTP server that requires the user to enable port forwarding on the router in order to connect to the web service.

Cross-site scripting (XSS) and man-in-the-middle (MitM) attacks

Security expert Sood noticed that although the HTTP server supports outdated protocols SSLv2 and SSLv3, web services seagateshare.com supports SSLv3. However, both protocols expose users to MiTM attacks (including DROWN  and POODLE  attacks).

In addition, Sood also found an XSS on seagateshare.com that allows an attacker to execute malicious code in a user’s browsing session to trick a victim into clicking a specially crafted link.

Currently, Seagate only fixes XSS vulnerabilities and there does not seem to be any plan to fix some of the issues related to SSLv2 and SSLv3.

Source: SecurityAffairs