A security researcher named ngalog submitted a report to Shopify’s bug bounty program on HackerOne, highlighting a potential privilege escalation vulnerability involving Shopify’s Multipass feature. This article explains what privilege escalation is, why it matters, how the Multipass vulnerability was identified, and how you can detect similar issues in web applications. Written in simple English, this informative guide breaks down the technical details of the report, its implications, and practical steps for identifying such vulnerabilities.

Privilege escalation is a type of security vulnerability where an attacker or user gains access to permissions or data beyond what they are authorized to have. For example, a regular employee with limited access might exploit a flaw to gain admin-level control, allowing them to view sensitive customer information or modify critical settings.

There are two main types of privilege escalation:

• Vertical Privilege Escalation: A user gains higher-level access, like moving from a regular user to an admin.