The hack is surprisingly simple, it requires just a couple of lines of code and tricks the device into giving you administrative privileges by sending a cookie that contains "username=admin".
According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.WD was informed of the bug in April. Securify is publicly disclosing the matter because they did not receive a response from the storage firm.
Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in.
Via: The Register