Exploiting Cloud Connectivity to PWN your NAS: Synology DS920

Team82 discovered and responsibly disclosed multiple vulnerabilities in Synology's QuickConnect infrastructure that allowed an attacker on the same network (with knowledge of a victim's email) to enumerate device identifiers (MAC, serial, model, DS-Token), obtain or register device API keys, leak AUTH-KEY and Device ID via public APIs, and update QuickConnect to point a victim to an attacker-controlled IP. By redirecting users to the impersonating device an attacker could capture login credentials and session tokens (X-SYNO-TOKEN and session ID), enable SSH and create backdoor accounts to achieve remote code execution and persistent control; Synology patched the issues after coordinated disclosure during Pwn2Own Toronto.