The attacker, a developer with legitimate rights on the system, wrote a discriminating authorization check. Using an IF-clause, he could avoid the authorization check being executed for a specific user-ID. Possibly, this was done during the development and testing phase; potentially this can now be exploited in production to manipulate salary slips. An ordinary line of code may have a significant impact on your Human Resources department.
![](https://securitybridge.com/wp-content/uploads/2024/04/solution-1024x627-1.png)