It is not on production anymore, but it was for long enough. Someone thought it would be a great idea to be able to debug a web app while signed in as a user reporting a problem. How to do it? It's easy. Just check on every request if magic HTTP parameter SIGN_IN_AS=id is present and if it is, sign in as this user. Of course, it worked also with admin account with hard-to-guess id=1.