Since you mentioned ‘code,’ I’ll assume you mean software. When software is written, memory is allocated to the program to perform functions. Think of this memory as a bucket that holds a set amount of fluid. Hackers come in and see if they can fill that bucket with an additional amount of fluid. This additional fluid is what you describe as, ‘gap in code that grants that much access.’ The hacker fills the bucket and overflows it with their code, often resulting in the contents overflowing to be run by the computer.

A simple way of exploiting an error in a program might only crash the program. That is only a “denial of service” vulnerability. Sometimes hackers can carefully set up conditions so they can run their own code instead of crashing the program when they exploit a vulnerability. That gives them the same access as the program they exploited.

Nowadays some programs, like web browsers, run in a restricted environment called a sandbox. Then even though the hacker can run their own code, they only get to do things inside the sandbox. But there might be another vulnerability they could exploit that allows them to run their own code outside of a sandbox.

A hacker may need to exploit several vulnerabilities in a row to gain complete control of a computer.

The vast majority of vulnerabilities are people. People are the weakest part of any security. You’d be surprised how much personal information people are willing to share online. And those same people have passwords related to their life information they share online. Half of those “quizes” back in the day were simply data phishing scams.

A lot of times you don’t have any control over it; like the log4j vulnerability catastrophe – people built applications on top of that software. You, the developer, may have written rock solidly secure code but log4j wasn’t.

The ELI5 of it is that most people don’t write bespoke code, that would be insane. We use libraries that are written by other developers. When someone says ‘framework’, what they often mean is something like AngularJS. Think of it like having a building that is delivered to you in pieces on flatbed trucks. You can assemble them many different ways, but you don’t have to sit there and wonder how you are going to make a wall. You have lots of walls sitting around. If those parts, if AngularJS itself has a security vulnerability **you the application developer may not be aware of it.**

Here’s an example of something that happens a lot:

Let’s say your program needs a username. You make that username a maximum of 50 characters long, so you save a spot in memory 50 bytes long for it.

But oh no there is one place in the app where it asks for a username but forgot to check how long the username the user gives you is.

If your user gives you a username longer than 50 characters it can’t fit in the memory you put aside for it, so it goes past that and overwrites other parts of memory. Maybe those parts of memory are parts of your program’s code!

This small error means a hacker just has to send your program a long username and they can rewrite parts of your program’s code, meaning they can do anything including making the program grant the hacker access to your system.

I’ll specifically answer how there can be gaps in code by an example:

Let’s say a server runs an imaginary OS called templeOS. It has 2 processes running:

* A process that runs commands. You see a command line, you can input commands, and it’ll do what you tell it to. Depending on the command (for example editing a file), you might need admin privileges to run a command and the process will ask for the admin password, which you do not have. Some commands (like editing a file that was marked as “editable by all users”) are allowed.

* The process that we will call “stupid” this will be our entry to gain access. It’s a process that every 5 minutes runs a command that’s written in a text file called “command.txt” that sits in a folder. Important: it does so with admin privileges.

Now up until version 4.0.6, the dude who wrote “stupid” put the file with the command in a folder normal users can access and edit. He fixes that but fails to notify anyone that up until that version, there was a vulnerability.

Once a hacker notices a server that still runs the version, he could remotely login as a user, change the command in the folder to “give the user admin rights” and he would effectively have control over everything.

It’s almost always the interaction of multiple processes or programs that create gaps.

As a programmer I’m sometimes amazed things work at all (sorta /s). Most try their best but it turns out trying to tell a 3 year old how to do something in very detailed steps can be difficult. The different tools we use to make the software have different trade offs like making it faster but harder to get right and it isn’t uncommon for assumptions made at one point and time to change due to the world changing and then bam hackers exploit that to force the system to do something the software wasnt meant to do. Not to mention that most software is used by people and people are easily tricked.

Basically everything around software is complex and we have to be extra diligent as hackers only need to find one way through while we have to be mindful of everything.

It’s never just one hack these days. Take the [Target hack](https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/) of 2013, the attackers broke into what appears to have been a smart-fridge, before using that as a jumping-off point to probe the rest of the Target network, until they found a way to break into their point-of-sale system, where they could steal credit card data.

A “vulnerability” in code is generally not the whole picture, it’s just the crack that gives them access.

Imagine the code as your car. For a bad guy to steal your car first he has to get in, that vulnerability could be a coat hanger and the knowledge on how to use it to open the door. Now getting the door open does not allow him to drive off and steal your car, but it does give him access to other vulnerabilities, like hot wiring.

So a single vulnerability generally does not give a hacker access to that much, but all they need access to is the next vulnerability and so on.

For example black Mamba (a major crypto ransom hack) gets access via a printer driver installed via a fishing email, or pays a user for thier credentials. The print driver vulnerability gives them access to install another vulnerability then another then another it’s a very complex hack

You see vulnerabilities all the time in board games – when the rules aren’t clear and players fight over their interpretation. Well, code does the same thing. If a hacker finds an obscure rule is not properly programmed or accounted for, the code may not handle that well. What if a website forgot to check if updating your email is already taken by another account? If this check isn’t done it’s conceivable to gain access to anyone’s account by merely changing your account email to theirs. In this case there was missing code to detect this scenario.