Security researchers found a serious zero-click bug in Synology's Photos app

If you own a Synology NAS drive, you’ll want to update your device as soon as possible. As first reported by Wired, a group of Dutch security researchers recently identified a zero-click vulnerability within the Synology Photos app. For the uninitiated, such bugs allow hackers to compromise a system without a user needing to click something first. To make matters worse, the app comes pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. It’s also a popular download among those who use the company’s DiskStation systems. Midnight Blue, the cybersecurity firm that discovered the vulnerability, estimates that millions of Synology users may be at risk. Although the company released a security patch to address the bug, its NAS devices do not automatically download updates. “It’s not trivial to find [the vulnerability] on your own, independently,” Carlo Meijer, one of the researchers, told Wired. “But it is pretty easy to figure out and connect the dots when the patch is actually released, and you reverse-engineer the patch.” According to Midnight Blue, the zero-click is found in a part of the Synology Photos app that does not require authentication. As a result, attackers can exploit the bug directly over the internet and without needing to bypass a gateway first. They can then gain root access and install malicious code on the compromised device. At that point, there’s not much a malicious individual couldn’t do, with the firm noting it would even be possible to turn the infected device into a botnet. The possibility a ransomware gang could target Synology devices isn’t just theoretical either. Earlier this year, DiskStation users reported that they were the target of a ransomware attack.This article originally appeared on Engadget at https://www.engadget.com/computing/security-researchers-found-a-serious-zero-click-bug-in-synologys-photos-app-145147159.html?src=rss

Nov 1, 2024 - 20:30
 0
Security researchers found a serious zero-click bug in Synology's Photos app

If you own a Synology NAS drive, you’ll want to update your device as soon as possible. As first reported by Wired, a group of Dutch security researchers recently identified a zero-click vulnerability within the Synology Photos app. For the uninitiated, such bugs allow hackers to compromise a system without a user needing to click something first. To make matters worse, the app comes pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. It’s also a popular download among those who use the company’s DiskStation systems.

Midnight Blue, the cybersecurity firm that discovered the vulnerability, estimates that millions of Synology users may be at risk. Although the company released a security patch to address the bug, its NAS devices do not automatically download updates. “It’s not trivial to find [the vulnerability] on your own, independently,” Carlo Meijer, one of the researchers, told Wired. “But it is pretty easy to figure out and connect the dots when the patch is actually released, and you reverse-engineer the patch.”

According to Midnight Blue, the zero-click is found in a part of the Synology Photos app that does not require authentication. As a result, attackers can exploit the bug directly over the internet and without needing to bypass a gateway first. They can then gain root access and install malicious code on the compromised device. At that point, there’s not much a malicious individual couldn’t do, with the firm noting it would even be possible to turn the infected device into a botnet. The possibility a ransomware gang could target Synology devices isn’t just theoretical either. Earlier this year, DiskStation users reported that they were the target of a ransomware attack.This article originally appeared on Engadget at https://www.engadget.com/computing/security-researchers-found-a-serious-zero-click-bug-in-synologys-photos-app-145147159.html?src=rss

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow

Viral News Code whisperer by profession, narrative alchemist by passion. With 6 years of tech expertise under my belt, I bring a unique blend of logic and imagination to ViralNews360. Expect everything from tech explainers that melt your brain (but not your circuits) to heartwarming tales that tug at your heartstrings. Come on in, the virtual coffee's always brewing!