As part of routine security assurance, LogMeIn reviewed components already in production to confirm they still met current security expectations. One such system, a file-distribution service, had long been regarded as low-risk due to its straightforward purpose and its origins: it was built and maintained by highly experienced engineers.
However, the team recognised that longstanding confidence can limit fresh examination. To avoid relying solely on past assumptions, they chose to apply a game-based threat modelling approach using the Elevation of Privilege game to validate that the design continued to be sound.
How the Session Was Set Up
- A standard Elevation of Privilege threat-modelling session was conducted:
- 5–6 engineers representing different levels of experience
- A security specialist facilitating and guiding where needed
- The system’s architecture diagram presented as the shared reference
- Each card prompting consideration of an attacker behaviour or system weakness
- A note-taker capturing all observations for follow-up
The use of the game ensured everyone participated actively, and questions were framed as part of play rather than subjective challenges.
What They Examined
Focus was placed on a specific design decision:
administrators could provide a URL for a file or patch, which the component would then download and distribute automatically.
This design had been considered safe, as administrators were fully privileged on the systems receiving the file.
What They Did
The team analysed how the system handled its main input:
an administrator provides a URL where a file or patch can be retrieved.
The component then downloads and distributes the file to the target environment.
During the session, participants were encouraged to consider potential misuse of this mechanism. The discussion focused on what validation existed for the supplied URL and where the component sat within the network architecture in relation to the administrator.
What They Found
The system allowed administrators to specify any URL, internal or external.
Because the component operated in a more privileged network segment, a malicious or compromised admin account could request files from LogMeIn’s own internal network and have them automatically distributed outside its boundary.
A missing validation rule meant the design unintentionally created a pathway for data exfiltration.
The issue had not been identified before because it was assumed:
- the admin role could already be fully trusted
- the original implementation had covered all relevant risks
The structured, scenario-driven examination prompted by the game revealed the oversight quickly and objectively.
Outcomes & Value
| Benefit | Impact |
|---|---|
| Systematic review of a trusted component | A high-impact security weakness identified and addressed |
| Equal contribution across the team | Reduced reliance on assumptions and reputation |
| Clear, action-oriented findings | Issue converted into a tracked remediation task |
| Consistent repeatability | Similar results achieved in ongoing sessions |
The team noted that game-based sessions reliably surfaced meaningful findings that had not been uncovered through standard reviews.
Why this matters
The finding demonstrated how game-based threat modelling:
- Encourages systematic examination of well-understood systems
- Enables all engineers to raise concerns regardless of seniority
- Reveals concrete security gaps that traditional review may not expose
This example illustrates how a repeatable, structured exercise can lead to actionable security improvements, even in established components.
