T 0.32 Abuse of Authorisations

Depending on their roles and tasks, people are granted corresponding entry, admission and access rights. In this way, the access to information is on one hand controlled and monitored, and on the other hand, people are enabled to carry out certain tasks. For example, individuals or groups need specific permissions to use applications or edit information.

A misuse of privileges occurs when intentionally legally or illegally obtained permissions are used outside of the scope of intended use. The aim is thereby often to gain personal benefit or to harm a specific person or institution.

In many cases, due to historical, system-related or other reasons, people have higher or more comprehensive entry, admission and access rights than they need in order to perform their activities. These rights can be misused for attacks under certain circumstances.

Examples:

• The finer the granularity of access rights to information, the greater the effort required to keep these permissions up to date. There is therefore a risk that when granting the access rights, too little differentiation is being made among the various roles which facilitates the abuse of authorisations.
• In various applications, access permissions and passwords are stored in system areas, which can be accessed by other users. This would allow attackers to change permissions or retrieve passwords.

Persons with too generously granted permissions can be tempted to access files belonging to other users, for instance to read another person's email if certain information there is urgently needed.