Privilege escalations in applications – often referred to as privilege escalation – are vulnerabilities that allow attackers or even regular users to access data, information or system functions for which they have no authorization. Attackers can take advantage of such gaps and, for example, manipulate or steal data without authorization.

What are the types of privilege escalations?

There are two types of privilege escalation. In horizontal privilege escalation, a user can access data of other users who have the same privilege profile. In a digital health application, for example, a patient would then be able to read or manipulate other patients’ data. Vertical privilege escalation is another type of privilege escalation: Here, a user can also access information or program functionalities that are actually reserved for more highly privileged users. This is the case, for example, when a patient in a digital health application can also access administrative functions that are reserved for the “doctor” role.

How do such vulnerabilities arise?

Faulty configuration settings are often the cause of privilege escalations: Administrators have consciously or unconsciously assigned too extensive privileges to certain users.
The danger of privilege escalation also lurks in self-developed applications: if the access rules in applications are inadequately designed or user session management is poorly controlled, such gaps often occur.

Why and how does this affect us as an organization?

Every organization that uses its own software or software developed by others should have it regularly checked for vulnerabilities. In extreme cases, rights expansions can lead to the theft of entire databases. Attackers then use these for ransomware extortion or sell the data to make a profit.

How can I protect myself?

Regular penetration tests of your applications can reliably identify such gaps. Contact us – we will be happy to advise you!

More articles

What exactly is examined during ISO 27001 certification? There are many myths surrounding this question. Many believe that “IT security” is audited. Others think that compliance is put through its paces – in terms of...
Small and medium-sized enterprises in particular have some catching up to do When it comes to the timely detection of IT security and cyber security incidents, small and medium-sized organisations – even some large ones...
One of the biggest challenges in setting up and operating information security management systems according to ISO 27001 is the adequate documentation. This is subject to audit reviews and also helps the organization to appropriately...