Identification providers supplier Okta is dealing with severe safety flaws, researchers contend, that would simply let an attacker achieve distant entry to the platform, extract plaintext passwords, impersonate customers of downstream purposes, and alter logs to cover any proof they have been ever there.
Nevertheless, Okta informed researchers from Authomize that the problems are options, not bugs —
and that the app works in response to design.
Final January, menace group Lapsus$ claimed to have breached Okta with “superuser” account credentials, posting screenshots they claimed to have grabbed from inner methods. It was decided 366 Okta prospects have been impacted in that incident.
“Following the information of the Okta breach earlier this 12 months, we targeted our efforts on understanding what kinds of actions a malicious actor might do in the event that they achieved even a minimal stage of entry throughout the Okta platform,” Authomize CTO Gal Diskin stated within the crew’s safety evaluation this week.
Diskin defined Okta’s structure for password synching permits potential malicious actors to entry passwords in plaintext, together with admin credentials, even over encrypted channels. To take action, the attacker would should be signed into the system as an app admin of a downstream app (examples embrace customer support brokers or monetary operations groups) — from there, the particular person might reconfigure the System for Cross-domain Identification Administration (SCIM) to nab passwords for any Okta person.
“All that’s wanted for extracting the clear textual content passwords is for an actor to achieve app admin privileges,” in response to the report. Given the continuously increasing variety of customers inside organizations of all sizes, particularly in enterprises, Diskin stated that the chance of an app admin being compromised is statistically fairly excessive, with the Verizon Information Breach Investigations Report for 2022 discovering that 82% of breaches concerned human parts like stolen credentials and phishing. Extra concerningly, these app admins are typically not handled as privileged identities.
For Okta’s half, the passwords are in clear textual content as a result of there isn’t a commonplace dependable protocol for syncing hashes, researchers famous. Nevertheless, Authomize famous that Okta did pledge to have its product crew take a better have a look at the password-leak dangers.
