The aforementioned example shows nefarious exploitation of the vulnerability, but the same vulnerability is likely also "exploited" day to day by authorized users as a shortcut or workaround against system failures, missing features or bad user experience.
For example, in a perfectly-secure system, how hard would it be to delegate access to someone (we assume the reason for delegation is legitimate)? If it's harder than writing down the access code and/or texting them then it's a downgrade. Is there a contingency process to keep working if your (obviously outsourced) SSO provider is down, or your machine is applying updates, or your browser is pestering you to leave feedback and trying to convince you to switch to their search engine before it'll let you access the system's access control page? Etc.
Nextgrid|2 years ago
For example, in a perfectly-secure system, how hard would it be to delegate access to someone (we assume the reason for delegation is legitimate)? If it's harder than writing down the access code and/or texting them then it's a downgrade. Is there a contingency process to keep working if your (obviously outsourced) SSO provider is down, or your machine is applying updates, or your browser is pestering you to leave feedback and trying to convince you to switch to their search engine before it'll let you access the system's access control page? Etc.