Privilege escalations in applications – often referred to as privilege escalation – are vulnerabilities that allow attackers or even regular users to access data, information or system functions for which they have no authorization. Attackers can take advantage of such gaps and, for example, manipulate or steal data without authorization.

What are the types of privilege escalations?

There are two types of privilege escalation. In horizontal privilege escalation, a user can access data of other users who have the same privilege profile. In a digital health application, for example, a patient would then be able to read or manipulate other patients’ data. Vertical privilege escalation is another type of privilege escalation: Here, a user can also access information or program functionalities that are actually reserved for more highly privileged users. This is the case, for example, when a patient in a digital health application can also access administrative functions that are reserved for the “doctor” role.

How do such vulnerabilities arise?

Faulty configuration settings are often the cause of privilege escalations: Administrators have consciously or unconsciously assigned too extensive privileges to certain users.
The danger of privilege escalation also lurks in self-developed applications: if the access rules in applications are inadequately designed or user session management is poorly controlled, such gaps often occur.

Why and how does this affect us as an organization?

Every organization that uses its own software or software developed by others should have it regularly checked for vulnerabilities. In extreme cases, rights expansions can lead to the theft of entire databases. Attackers then use these for ransomware extortion or sell the data to make a profit.

How can I protect myself?

Regular penetration tests of your applications can reliably identify such gaps. Contact us – we will be happy to advise you!

More articles

Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great. Our...
“37.0 percent of companies in Germany do not regularly train their employees on topics such as spam or phishing. (…) Only every third company (35.5 percent) has a patch management policy. Yet security gaps in...
One of the biggest challenges in setting up and operating information security management systems according to ISO 27001 is the adequate documentation. This is subject to audit reviews and also helps the organization to appropriately...