Security researchers found a serious zero-click bug in Synology’s Photos app

If you own a Synology NAS drive, you’ll want to update your device as soon as possible. As first reported by Wired, a group of Dutch security researchers recently identified a zero-click vulnerability within the Synology Photos app. For the uninitiated, such bugs allow hackers to compromise a system without a user needing to click something first. To make matters worse, the app comes pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. It’s also a popular download among those who use the company’s DiskStation systems.

Midnight Blue, the cybersecurity firm that discovered the vulnerability, estimates that millions of Synology users may be at risk. Although the company released a security patch to address the bug, its NAS devices do not automatically download updates. “It’s not trivial to find [the vulnerability] on your own, independently,” Carlo Meijer, one of the researchers, told Wired. “But it is pretty easy to figure out and connect the dots when the patch is actually released, and you reverse-engineer the patch.”

According to Midnight Blue, the zero-click is found in a part of the Synology Photos app that does not require authentication. As a result, attackers can exploit the bug directly over the internet and without needing to bypass a gateway first. They can then gain root access and install malicious code on the compromised device. At that point, there’s not much a malicious individual couldn’t do, with the firm noting it would even be possible to turn the infected device into a botnet. The possibility a ransomware gang could target Synology devices isn’t just theoretical either. Earlier this year, DiskStation users reported that they were the target of a ransomware attack.