Drobo

Yoics security issue

We installed Yoics on our DroboShare, but we didn’t ever wind up using it. However, we left it installed. Recently, we had an IT person in our lab, looking at some security issues. He informed us that he could log into our Drobo remotely without providing any username/password information - even though it’s password protected.

I investigated this, and found that if I simply entered the Drobo’s IP address into a browser, I got complete access to the Drobo… and it said “Powered by Yoics.” I de-activated DroboApps (thereby de-activating Yoics), and that solved the problem.

I strongly suggest that other users of Yoics investigate this. It’s a HUGE security problem! Has anyone else experienced this?

I posted about this yesterday on they Yoics forum, but have so far not gotten a response.

I got a response from Yoics, who confirmed that yes, this is a known issue.

I found this very concerning, I set up Yoics on my Drobo and registered on Yoics.com, after which anyone on the internet with the url (and I can only assume via the IP) could access my entire Drobo NAS with no security or restrictions. All the sudden all my files were wide open to the world. I have searched online for a forum entry on the security vulnerability but with no luck. I could find no way on Yoics.com to enable security so was forced to remove the app. Shame because with security this would be a terrific app!!

ouch, and just when i made a new post about yoics… maybe that was what they said when they discovered that they just exposed their whole data to the world?
“Yoics”