What actually is privilege escalation in IT applications?

Privilege escalations in applications – often referred to as privilege escalation – are vulnerabilities that allow attackers or even regular users to access data, information or system functions for which they have no authorization. Attackers can take advantage of such gaps and, for example, manipulate or steal data without authorization.

What are the types of privilege escalations?

There are two types of privilege escalation. In horizontal privilege escalation, a user can access data of other users who have the same privilege profile. In a digital health application, for example, a patient would then be able to read or manipulate other patients’ data. Vertical privilege escalation is another type of privilege escalation: Here, a user can also access information or program functionalities that are actually reserved for more highly privileged users. This is the case, for example, when a patient in a digital health application can also access administrative functions that are reserved for the “doctor” role.

How do such vulnerabilities arise?

Faulty configuration settings are often the cause of privilege escalations: Administrators have consciously or unconsciously assigned too extensive privileges to certain users.
The danger of privilege escalation also lurks in self-developed applications: if the access rules in applications are inadequately designed or user session management is poorly controlled, such gaps often occur.

Why and how does this affect us as an organization?

Every organization that uses its own software or software developed by others should have it regularly checked for vulnerabilities. In extreme cases, rights expansions can lead to the theft of entire databases. Attackers then use these for ransomware extortion or sell the data to make a profit.

How can I protect myself?

Regular penetration tests of your applications can reliably identify such gaps. Contact us – we will be happy to advise you!

More articles

Numerous details about people, their purchases and other sensitive details could be accessed unprotected on the web for months, as Der Spiegel (German content) prominently reports on its website. A service provider had inadequately secured...
Checks of IT security are useful and advisable for a variety of reasons. External reasons such as regulatory requirements – the KRITIS regulation or the IT security law are examples – may require such reviews....
One of the core competences of cloud service providers is the safeguarding of infrastructures with regard to IT security. But what should be taken into account when using the cloud? The cloud has many advantages:...