The device administration web-app fails to properly validate the session cookie allowing for an unauthorized attacker to gain access. The issue depends on the internal ifttt_token not being set (default). In this case an attempt to read the ifttt_token out of nvram will return a null string. When validating the session token (asus_token cookie) it will be checked against the ifttt_token value using strcmp. So by sending the cookie with a value starting with a NULL byte the strcmp will pass thinking you are authenticated as ifttt.