10-09-2025, 04:06 PM
The uncomfortable truth is that you are only a few steps away from a company-ending disaster if you haven't yet implemented IP restrictions on your RMM tools and PSA software.
We are not discussing some theoretical attack here. Our topic is so basic that any technician may demonstrate it in less than 30 seconds using just their web browser.
How Stupidly Simple Session Cookie Theft Is
Let's cut through the technical jargon and demonstrate your current vulnerability.
Launch your RMM application. Log in as usual. To access developer tools, press F12. After selecting the "Application" option, go to Storage > Cookies and search for your server name.
Have you seen that authentication taken? That 36-character dashed alphanumeric string? Your golden ticket is that. Your web frontend's GraphQL API can be accessed by anyone having that string. They have all the rights of whoever's session they are in, and they can do anything a logged-in user can do.
We legitimately use this technique to automate operations in our RMM that aren't accessible via the usual API. It functions. It is trustworthy. And bad actors can do the same if we can do it for legitimate reasons.
Also Read: What is a Subnet? and its Different Classes
We are not discussing some theoretical attack here. Our topic is so basic that any technician may demonstrate it in less than 30 seconds using just their web browser.
How Stupidly Simple Session Cookie Theft Is
Let's cut through the technical jargon and demonstrate your current vulnerability.
Launch your RMM application. Log in as usual. To access developer tools, press F12. After selecting the "Application" option, go to Storage > Cookies and search for your server name.
Have you seen that authentication taken? That 36-character dashed alphanumeric string? Your golden ticket is that. Your web frontend's GraphQL API can be accessed by anyone having that string. They have all the rights of whoever's session they are in, and they can do anything a logged-in user can do.
We legitimately use this technique to automate operations in our RMM that aren't accessible via the usual API. It functions. It is trustworthy. And bad actors can do the same if we can do it for legitimate reasons.
Also Read: What is a Subnet? and its Different Classes