👑 The privilege escalation

Mass assignment

A user emails your support team with an unusual subject line: "I think there's a bug - I accidentally made myself an admin."

They attached a screenshot showing access to delete all customer data, view financial reports, modify user permissions, and access admin controls.

You check the logs and see they simply added 'role=admin' to their profile update request.

Worse yet, they mention they found this by accident and wonder how many other users might have discovered it.

Technical Issue: Your API accepts any field in user update requests without validation. When users submit profile updates, they can include additional fields like 'role', 'admin', or 'permissions' that your backend blindly saves to the database.

What's your immediate first move?

Thank the user and immediately fix the vulnerability

Show appreciation for responsible disclosure and patch the issue

Immediately audit all user accounts for privilege escalation

Check if other users have discovered and exploited this bug

Immediately revoke the user's admin access

Remove their elevated privileges and investigate

Downgrade their access and say it was a display bug

Try to minimise the perceived security impact

← Select different scenario