A computer trapdoor, also known as a back door, provides a secret -- or at least undocumented -- method of gaining access to an application, operating system or online service. Programmers write trapdoors into programs for a variety of reasons. Left in place, trapdoors can facilitate a range of activities from benign troubleshooting to illegal access.
Programmers typically don't create and retain trapdoors with malicious intent. They leave them in place for legitimate testing or debugging purposes, or to give service technicians emergency access to a system. Weaknesses in design logic also can introduce trapdoors into program code inadvertently and innocently. Many software developers include undocumented trapdoor passwords, which they use for maintenance or unspecified purposes. Software companies rarely acknowledge the presence of trapdoors and trapdoor passwords in proprietary software -- software whose source code is not distributed publicly -- but users sometimes expose them.
Because trapdoors allow anyone with knowledge of them to circumvent normal security procedures, unscrupulous individuals can exploit them for nefarious purposes. Software vendors may expect and hope that trapdoors and trapdoor passwords remain secret, but as users become more technically savvy, they become increasingly likely to discover them, accidentally or intentionally, and thus to create security vulnerabilities. Some users exploit trapdoors or disclose them so others can exploit them, rather than report the presence of such vulnerabilities to the developer of the software that contains them.
Malware can install trapdoor programs on Internet-connected computers. Once in place, trapdoor programs open an Internet port, enabling anonymous, malicious data collection or computer control from anywhere in the world. Combined in networks called botnets, infected computers with open ports can facilitate identity theft and other fraudulent activities without their owners' knowledge or consent.
In recent years, trapdoor exploitation has promoted malicious attacks involving tens of thousands of computers. These attacks have targeted many high-profile organizations, including Google, Microsoft and the Internal Revenue Service. Email worms such as 2003's SoBig and 2004's MyDoom covertly hijacked computers with software bots -- autonomous programs that act as agents for trapdoor programs -- leaving them open to future exploitation by hackers.