Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability, but a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

The vulnerability is remarkable not only because it made it trivial to wipe what’s likely petabytes of user data. More notable still was the fact that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

Done and undone

The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, which allows users to restore all default configurations and to wipe all data stored on the devices.