8 High-Impact Bugs and How HackerOne Customers Avoided a Breach: Privilege Escalation

Customers tell us that a big difference between hacker-powered security and traditional approaches is the impact. Since hackers make money for reporting vulnerabilities with a clear business impact—the bigger the impact, the bigger the bounty—hacker-powered security programs make you demonstrably safer. In contrast, we often hear that traditional penetration tests return low or no impact bugs. Even worse, scanners typically produce noisy false-positives, or the same bug over and over.

This blog series counts down 8 high-impact vulnerability types, along with detailed examples of how HackerOne helped customers avoid breaches associated with them. To develop this series, we consulted both OWASP Top 10 as well as HackerOne’s recent analysis of the Top 10 Most Impactful and Rewarded Vulnerability Types.

Next, we headed over to Hacktivity, the largest directory of publicly disclosed vulnerability reports, to grab examples of how our ingenious security researchers helped HackerOne customers avoid costly breaches associated with each type of vulnerability. Hacktivity details vulnerabilities that have been fixed and that all parties—the hacker and the customer—agree to make public. This site lists thousands of real world vulnerabilities, the steps hackers used to find them, and other report and remediation details

To kick things off, let’s look at vulnerability type number 8: Privilege Escalation.

Privilege Escalation

According to Mitre, Privilege Escalation happens when an adversary tries to gain higher-level permissions.

Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches involve taking advantage of system weaknesses, misconfigurations, and vulnerabilities. 

In its guidelines to test for privilege escalation, OWASP adds “people refer to vertical escalation when it is possible to access resources granted to more privileged accounts (e.g., acquiring administrative privileges for the application), and horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).”

HackerOne ranked this vulnerability fourth on our list of top ten most impactful and rewarded vulnerabilities. The business impact depends on the nature of the data and access the escalated privilege exposes.

Potential Business Impact

The ways an attacker can use a subdomain takeover include malware distribution, phishing/spear phishing, XSS, authentication bypass, and sending and receiving email on behalf of the victimized company. Home Depot customers saw the impact of this vulnerability firsthand. In a 2014 breach impacting tens of millions of credit card holders, an attacker was able to use privilege escalation to install custom malware on self check-out systems in the U.S. and Canada.

Number 7 in our series of 8 high impact vulnerabilities will look at SQL Injection and how your favorite coffee tastes much better without one — so stay tuned!

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!