From their page (here)...
"Buffalo's unique Web Access feature allows LinkStation Live users to share their pictures, music or other files with friends and family through any ordinary Web browser.You don't need to install any software and neither do those with whom you want to share your files."
2 things wrong with this...
- Isn't this file-sharing? the illegal kind potentially?
- Remote access to your system (NAS) without having to install any software? I hope they at least do serious authentication and encryption! And it's a good thing browsers are secure enough to keep your system safe!
"BuffaloNAS is the portal site that is responsible for establishing a peer-to-peer connection between Buffalo NAS (Network Attached Storage) servers, such as the LinkStation Live and external users."
So if I understand this correctly, this portal site run by Buffalo NAS gains access to your computer, and enforces share permissions over the web. That sounds secure.
"For example, if you have a LinkStation Live at your home or office, you can configure the integrated Web Access server so that certain shares on your system become available to users on the Internet."
What can I say... making it idiot-proof to share your company's documents over the web is a great idea, right?
"The configuration is a simple process. If you have an UPnP enabled router (most all recent routers support UPnP) you don't even need to configure anything on your firewall. All you have to do is enable the Web Access server at your local LinkStation.Don't forget to set your access permissions in the "Folder Setup" section of the main menu.Then, you merely need to enter a name (i.e. BaldEagle) and key (i.e. 12345) and wait for the acknowledgement from BuffalNAS.com. If no one has picked your name already, you are set to go."
Someone should conduct a security audit of this service! How many users out there do you suppose you could guess the name of? Further - there are no requirements for complexity on the passwords or anything!
There's even a Quick Start page too... to get you going quickly. My favorite feature is to allow anonymous access to web-shared folders on the NAS.
Interestingly enough, you can simply build a quick script to exploit this service (or at least gather some great intel) in about 1 minute or less. As an example, I just typed in something obvious such as https://buffalonas.com/steve and got the following screen, first alerting me that the site's SSL certificate wasn't trusted... then once I accepted that prompting me for a username and password. I stopped there...
I'm sorry - but this is just irrisponsible on Buffalo's part. Allowing access to a NAS system over the Internet and advertising it as simple as they do - it's just irrisponsible.