Hello and welcome to the Wednesday, October 1st, 2025 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in

Purple Team Operations. When teaching our defensive web application security class, SAC

522, one of the things, of course, that always comes up is mistakes in off-occation

and access controls. And one of the examples that is always mentioned here are, well, simple cookies like

user equals admin.

So wanted to put this to the test to see how relevant this issue still is and looked at

some of our honeypots and what kind of cookies like this we are seeing in the honeypot

and well how often they're exploited certainly exploited quite a bit and the exploits or the

vulnerabilities being associated with these particular cookies are actually not that super old.

Like the first one here, UID equals 1,

goes with DVR vulnerability that was originally described about a year ago.

You also have this user equals admin a little bit older.

Many of these, of course, are IoT style vulnerabilities, so DVRs and

wireless access points, routers, and the like.

There are a couple interesting ones.

Like, there is the admin ID equals one GW admin ticket equals one,

I believe that one was from a Chinese VPN

that apparently can be administered using this particular cookie.

And then we also have the CMX saved ID cookies.

These are actually apparently associated with a biometric security system.

...