eli5: Confused Deputy


So I’m dipping my toe in Cyber Security and I came across the confused deputy problem. Anyone care to break it down, please?

In: 1

it’s using some elses authority…

example if i want to beat-up a neighbor i tell a cop that he threatened me or something, cop beats up neighbor.

in computing it basically a hostile application hijacking an administration or systems application or just using those types of high privilege apps to do something to help, authorize or hide the hostile apps behavior.

this is the most common example of malware/spyware

You, USER A, have limited permissions.
A program, PROGRAM X, has a different set of permissions.
A confused deputy situation occurs when USER A is given permission to use PROGRAM X and thus indirectly allowed to do things you aren’t normally allowed to do. This can result in damage either through malicious use if USER A intentionally uses this loophole, or accidental damage if they just happen to try things without knowing they shouldn’t be allowed to.

In the originally described scenario, the program was a compiler. Normally the compiler would allow the user to ONLY write to a director the user had permission for. HOWEVER it also had a special permission to write to a certain directory for logging and analytics purposes. Unfortunately that directory contained other important files. The user could overwrite those files by specifying that directory as the log output location. Because it was a special case for the compiler to be able to write to this directory it didn’t check the users permission and damage could occur.

The term comes from the stereotype of an inept/confused deputy who is given authority but is tricked or accidentally uses it to cause problems, such as the character of Barney Fife in the old TV series “The Andy Griffith Show”. The deputy isn’t TRYING to do harm, its just that they get easily confused and manipulated by other people who shouldn’t have power.