A vulnerability could be something that’s in code, something that’s part of the hardware, something vulnerable on the human side of things (like the way someone enters information into a system), and everything in between.

Some code might not check if the computer requesting the information is supposed to have it. There are lots of exploits like that in software that are known, but aren’t a problem because an update fixed it. But not everyone updates their software! A lot. A lot of people don’t. Just by doing some research, someone could find old software and exploit all the security problems it has.

It’s a lot of poking around and seeing what happens. You poke around until you find something you can use. For example, when you put code in a text box of an online form, it accidentally runs that code. Once you figure that out, you can write code that installs something on their computer and gain access. That’s a pretty old example, but it gets the point across. Vulnerabilities can be something of cutting edge research into hardware, or just something stupid no one’s tried before.