CORS Misconfiguration on Western Digital Store
WDC Tracking Number: WDC-19011
Product Line/Web: https://shop.westerndigital.com/store/my-account
Published: August 17, 2019
Last Updated: August 17, 2019
Description
A misconfiguration of the Western Digital Store improperly allowed access to store resources (including account configuration) from outside domains.
Advisory Summary
The Access-Control-Allow-Origin header was misconfigured and improperly allowed access to Western Digital Store resources from outside domains. This could have been exploited by an attacker to view or change a logged-in user’s name or email address by having a user visit a separate, malicious web site. The access origin rules have been updated to prevent this attack.
Reported by Tushar Anand