If you own a Synology NAS drive, you should update your device as soon as possible. As first reported by Wired, a group of Dutch security researchers recently identified a zero-click vulnerability within the Synology Photos app. For the uninitiated, bugs like this allow hackers to compromise your system without the user having to click anything first. To make matters worse, the app comes pre-installed and enabled by default on Synology’s consumer Bee network storage devices. This is also a popular download among users of the company’s DiskStation system.
Midnight Blue, the cybersecurity firm that discovered the vulnerability, estimates that millions of Synology users could be at risk. The company has released a security patch to address this bug, but its NAS devices do not automatically download the update. “It’s not easy to find[vulnerabilities]on your own independently,” one of the researchers, Carlo Mayer, told Wired. “But when the patch is actually released and you reverse engineer the patch, it’s very easy to find and connect the dots.”
According to Midnight Blue, zero clicks were discovered in some parts of the Synology Photos app that do not require authentication. As a result, an attacker can exploit the bug directly over the Internet without first bypassing the gateway. They can then gain root access and install malicious code on the compromised device. At this point, the company notes, there is little a malicious individual can do, and could even turn an infected device into a botnet. The possibility of ransomware gangs targeting Synology devices isn’t just theoretical either. Earlier this year, we reported that DiskStation users were targeted by ransomware attacks.
