Hello list!

All your photos and videos are belong to me. If they are on Transcend flash
card :-).

There are Predictable Resource Location, Brute Force and Cross-Site Request
Forgery vulnerabilities in Transcend Wi-Fi SD Card.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: Transcend Wi-Fi SD Card 16 GB, Firmware v.1.8.
This model with other firmware versions and other Transcend models also can
be vulnerable.

----------
Details:
----------

There are two modes of connection to the flash card: Direct Share and
Internet Mode. In the first mode device with Wi-Fi is connected to this
card, and in the second mode the card itself is connected to Wi-Fi devices
(access point, router or smartphone with enabled Personal Hotspot) - then
all computers on the LAN will have access to it. I will discuss the first
mode, about the second will write in the next advisory.

Predictable Resource Location (WASC-34):

When you insert the card in digital camera and turn camera on, Wi-Fi
operates immediately and one can connect to it in the Direct Share mode. By
using default SSID and password. It is unlikely that the owner will change
these settings. Software and documentation to the card don't give advices on
changing this password or password to admin panel.

It's possible to get access to all files on the card by using applications
for iOS and Android. After starting the program it's only need to enter
username and password for admin panel.

Also in Direct Share mode it's possible to access in the browser to admin
panel and access all files on the flash card. By using default username and
password.

Brute Force (WASC-11):

There is no protection against BF attacks in admin panel 192.168.11.254,
because Basic Authentication is used. It is unlikely that the owner will
change login and password for admin panel. But if will change, then they can
be picked up.

Cross-Site Request Forgery (WASC-09):

There are CSRF vulnerabilities in admin panel. Such as this one: in login
process there is no captcha, so besides lack of protection against BF, also
CSRF attack can be made. It's possible to remotely enter into admin panel
(with default login and password) for conducting further CSRF attacks.

<img src="http://admin:admin@192.168.11.254">

------------
Timeline:
------------

2014.05.10 - found vulnerabilities in Transcend Wi-Fi SD Card 16 GB.
2015.08.01 - announced at my site. Later informed developers.
2017.01.28 - disclosed at my site (http://websecurity.com.ua/7900/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua