A security flaw in Synology’s popular photo application has left millions of users’ devices vulnerable to a zero-click attack. Researchers have discovered that the bug, which was exposed during the Pwn2Own hacking contest, allows attackers to gain access to devices and steal sensitive data, including personal files and corporate documents. The vulnerability affects Synology’s BeeStation storage devices and DiskStation systems, which are widely used by individuals and businesses worldwide.
Synology has confirmed the issue and released patches, but it remains unclear how many customers have applied them. The company notes that the vulnerability is critical, and attackers can exploit it to gain root access and install malicious code on the device. Researchers warn that this is not just a data theft concern, but also a potential botnet threat.
The discovery was made by a group of Dutch researchers who scanned internet-connected devices and found hundreds of thousands of Synology NASes vulnerable to the attack. The vulnerability is particularly concerning because it does not require authentication, making it easy for attackers to exploit over the internet.
Source: https://www.wired.com/story