Search This Blog

Showing posts with label IAM system. Show all posts

Okta Post-Exploitation Method Reveals User Passwords

Post-exploitation attack technique has been discovered that enables adversaries to read cleartext user passwords for Okta, the identity access, and management (IAM) provider, acquiring extensive access to the corporate environment. 

Mitiga researchers found that if users unintentionally type their passwords in the "username" field when logging in, the IAM system saves them to audit logs. Threat actors who have acquired access to a company's system can then quickly harvest them, lift privileges, and gain access to several corporate assets that make use of Okta. 

In a post, Doron Karmi, Okta senior security researcher and principal security researcher and developer wrote, "In our research, we could easily use the logs to match the password with the valid user, resulting in gaining credentials to the Okta user account." They added further when adversaries log in to Okta as those users, it "expands the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems." 

Since Okta audit logs include specific data pertaining to user activity, such as usernames, IP addresses, and login timestamps, the vulnerability exists. The logs also reveal whether login attempts were made using a web browser or a mobile app and whether they were successful or failed. 

In Defense of Okta Features 

The cloud-based enterprise-grade IAM service, Okta, which links business users across applications and devices is now utilized by more than 17,000 customers around the globe. Although it was designed for cloud-based systems, many on-premises apps can also use it. 

According to a statement from the company released by Mitiga, representatives from Okta agree that preserving cleartext passwords in audit logs is "expected behavior when users mistakenly enter their password in the username field." Furthermore, only platform administrators, who are the system's most privileged users, have access to audit logs that store cleartext passwords, and they "should be trusted not to engage in malicious activities." 

It is not the first time the business has had to defend a platform feature that governs how user passwords are handled. In response to a report by Authomize researchers, Okta's architecture for password syncing allows malicious actors signed in as an app administrator of a downstream app to access passwords in plaintext, including admin credentials, even over encrypted channels, the company published a blog post in July of last year. 

The news followed claims made by the threat organization Lapsus$, which posted screenshots they claimed were taken from internal systems and claimed to have breached Okta using "superuser" account credentials. Although Okta later claimed it only discovered two actual breaches, it was revealed that 366 Okta customers could have been negatively impacted by that incident.