Simply put, a vulnerability is code that allows someone outside the system to do things they are not supposed to do. It still can work just fine in normal use cases, but if someone calls it the right way, they are able to:
* crash the system
* slow down the system
* run code the designer didn’t intend
* manipulate data inside the system
* access operating system level functions
This is very bad when it happens to your code. It’s worse when the vulnerability is in a shared library that is used in a lot of systems.
There is a great story about a casino that got hacked that cost them millions of dollars.
The casino had a secure wifi network, one of those networks where the password is 16 characters long and known to only a few trusted people. The fish tank in the casino had a wireless network connection for the computer that monitored its heater, for some reason it was on the secure network.
The fish tank monitor was made in China and had malware installed on it, eventually the hacker realized what it had access to and did what they do.
Hacking generally means gaining access but a program vulnerability is a specific way of hacking by making the computer do things outside of what the program is intended to do.
Generally all programs, take some form of input bits. When we use a mouse, keyboard, touch screen, ethernet, wifi, basically anything that happens on a computer, is a set of instructions that take some bits as input. Hackers provide certain kinds of input bits, to make the program do things outside of what is intended by the programmers and this includes just stopping the program from working.
one famous “vulnerability” was when a guy noticed his Apple ID Login had basically “User1234” in the URL. So, out of curiosity he decided to make it “User1235” instead… and the site just showed him that person’s private profile information. WILDLY unsecure, and CLEARLY Apple’s fault, yet having found that and did it (presumably a bunch) he then got prison time.
Also one time I was researching a company and found what’s called a “github” which still had leftover style information from old websites this company ran but that didn’t exist anymore. I discovered style information for an old website tool that let you schedule a meeting with the CTO when you won a contest they’d run… and so I copy and pasted the URL in their style code, and it took me to the CTO’s google calendar inviting me to schedule myself a meeting. The website hadn’t existed for quite a while most likely but that old link still worked so I went ahead and scheduled my own second job interview.
A lot of vulnerabilities are more sophisticated but at least some of the time it’s just some dumb oversight that nobody thought of yet. Lots of tech companies even have what’s called a “bug bounty” where if you find something like that, they will pay you to tell them what it is so they can fix it.
Here’s one by example. Ages ago (2010?) there was a photo sharing website where you could mark photos as private and they wouldn’t be discoverable. Someone looked at the URL of one of their own photos and realized it was whatever.com/photo/123
They then changed the url to /124 and they got someone else’s picture. They kept incrementing the number and realized they could see any photo. The site only protected access if you were accessing the photo through their web interface. The request to download a specific photo was unprotected.
Most vulnerabilities are stupid things like that where a developer assumes certain access patterns and don’t implement checks on access. Other times people discover ways to basically log into the computer that hosts the website and they can just look at the files directly. Those vulnerabilities are generally harder to exploit and are used by more professional hackers with a profit motive since they’re harder to do.
Just to add into this… sometimes you exploit multiple things at a time. People writing secure systems try to put as many walls between parts of their code, so if you do manage to access one part, it won’t allow further access. Here’s an example of where it broke….
So iPhones have pretty strong security. Apple really doesn’t want you modifying the device. This is a short version of how the old ‘slide to Jailbreak’ used to work.
Someone found one exploit in the PDF renderer on the iPhone that just caused the browser to crash. After some investigating, they figured out that instead of crashing, you can craft a very specific pdf that’ll allow an attacker to run any code it wanted as the browser. But it had to be very carefully written, otherwise the browser would just crash. Apple had good security. A program can’t modify the operating system. So instead of this being a severe bug, it’s just a medium sized one.
Another person found separate bug that let any program that’s running modify the operating system. This is considered a medium sized bug.
Normally your phone won’t load an operating system that isn’t signed by apple, but a third person found a third bug that allows booting up an “unlocked” operating system.
So a fourth person got creative, and glued these 3 bugs together. Use the PDF bug (#1) to run arbitrary code. The arbitrary code runs a privilege escalation (bug #2). Then it loaded the unlocked bootloader (bug #3) into the phone, which allowed you to run an unlocked operating system. They then published this special, buggy PDF on the internet, on a page you could visit. You could then visit that page, swipe, and unlock your phone.
Apple ended up fixing all those bugs, but this is an example of how these cracks can line up to do something much bigger.
Most exploits are about stacking things together. If you can trick the target system into running code, it’s not the bug itself, but the access it allows.
Sometimes people just stumble upon things. Like trying and it works.
I’m not a hacker but even I did stumble upon a thing once. Back in time I wanted to download some scientific document I needed. I ended up at the given university page but there was no download link until login. I didn’t have the login but I realized that in the address bar in the browser they used logical structure. Something like university.edu/downloads/whatever. So I kept trying to directly type things in the address bar and it worked without login!
Sometimes hackers do the same. Trying something that shouldn’t work and it works. You don’t always need to hack in a system like you imagine from movies. You can make money if you can cheat in MMORPGs. Like, if you figure how to double login into a game (which absolutely should not happen), then you can give your game gold to your own character, log out and have double gold. Repeat it a few times, you have millions of gold. And as game gold or other objects can often be sold on ebay for real money (or could be some years ago), if you figured something like that, you could make actual money out of it.
Or for example you go home and realize that the neighbors online printer shows up in your print line unprotected. So you try and print on his printer and it works. Now you figure that this model of printer comes with this open setting so basically you can print anywhere in the world.
In addition to a lot of good answers here, vulnerabilities can also be in the following sense.
Imagine a nice, sturdy house with all the fancy locks. It’s secure af.
Now there’s a dog door / flap on the main door. It’s big enough for an average dog but impossible for even a child to crawl through, let alone a grown man.
However, what the architect didn’t think of is that it is possible to use some sort of lever that can be inserted through the dog flap that can reach the door knob and open it.
There you go. Someone who visited the apartment or is well versed with the architects designs now knows how to sneak into the house through the dog flap.
I remember once we had a situation, where one major website, in order to reset your password, asked you the last 4 digits of your card while he showed you the first 4. And then another major website asked for 4 first, and showed you 4 last. So imagine you are a user of both of them…
Some people call it a vulnerability, some call it the other word
As a developer, you need to remember that a computer is stupid. It does execute the code exactly like humans wrote it.
If a human tells your computer to jump out of a bridge in some conditions, it will. If you forgot to add a lock on the front door, it won’t add any for you.
**I forgot:**
(Or didn’t have time, the usual “we will do it later” (never))
As a developer we are pressured to go fast as well. We may forget to add some features. It was 17:00 when I was going to add the lock and the next day I forgot about it. Or it was 9:00 then all the damn meeting started and it is now 17:00…
We made a lot of features as well because everyone wants money (not even talking about other conditions that may come with). So we probably made that lock. So we may half build the lock when it was 17:00 and yet again forget the next day to finish it but we installed it.
**I’m not smart enough:**
Maybe we thought we could make a secure lock. Turn out you can open it with a flat screw! (Security is one field you shouldn’t try to do it yourself)
**That damn edge case**
Making a software not crashing (or not behave weird) is like doing a maze… Except for a full page with the width size a hair and where each wrong turn (not dead end!) is a bug/crash.
So I could work full time for weeks just by handling errors, edge cases or wired behavior just for a feature that is asking you to enter 2 numbers.
So, we won’t support every case. Usually that won’t cause security issue here, but that also means some part of the code could have been not tested a lot…
So we can make assumptions on things. If the user enter letter I will let the software crash since the client has only a number keypad. (Until I get screwed and he is plugging a full keyboard)
**Never trust user values**
That one… Oh Fu… Hell Fu…
That can also include software saved value sometimes.
This is one big issue with security that can cause big security issues down from the processor running unauthorized code to you withdrawing money without nobody knowing.
See it like a form with a blank spot to fill up. Someone will fill the form (you, directly or indirectly) and someone will do whatever the form says (the software).
Unfortunately, a lot of the time, programmers cheap out on that one and don’t use the full capability of the form. What does it mean?
Let said the form is: “allow the user ____ to access his own account if the password to the account matches _____”.
Then the user fills the first field with “Administrator”, but the second field with: “blablabla or if the password doesn’t match”.
The software will then read it as: allow the user Administrator to access his own account if the password to the account match blablabla or if the password doesn’t match.
So… Now you are logged into the Administrator account…
Sometimes it is a little more complex than that for technical reasons. But it is the same idea.
Funny thing, that AI revolution work exactly like that. Except, there is not quite a feature to flag user value (the blank in the form) vs the other instructions.
Latest Answers