Another example of why not to buy products from half-baked NAS manufacturers. The exploit here is mindblowingly simple.
According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.
https://www.theregister.co.uk/2018/0...ital_my_cloud/