Researchers at Authomize discovered 4 ‘high impact’ attack paths in Okta’s trusted management solution. Authomize clearly points out that Okta do not categorize these as vulnerabilities, as everything is working as expected, yet they explained that it is still important to address these 4 attack paths as they could lead to serious consequences, like PII exposure, account takeover, and/or data destruction.
Companies rely on IdP’s (Identity Providers) like Okta to store and verify their digital identity and provide easy access to resources for the company employees. An IdP will manage access, add or remove privileges, all while keeping security tight. It also provides authentication services to relying applications within a distributed network, making it easy for users to login and verify their identity often with a single sign-on across the multiple apps and services they need to access.
Let’s take a brief look at the 4 newly discovered attack paths:
- Clear text Password extraction via SCIM – An app admin (which is the lowest privilege built-in role) can extract all Okta passwords of all app users by redirecting the SCIM (System for Cross-domain Identity Management) provisioning protocol to an attacker controlled host. In practise, this means an app admin, of even the least business relevant app, can steal a super admin’s password (privilege escalation) or use their permissions to exfiltrate all the company’s passwords by reconfiguring SCIM.
- Sharing of Passwords and sensitive data over unencrypted channels (HTTP) – If Okta and the SCIM server aren’t using encrypted communication, an attacker is able to sniff traffic and pick up shared profile details (which are PII), clear text passwords and more.
- Hub & spoke configuration allows sub-org admins to compromise accounts in the hub or other spokes downstream – Say a little company, newly taken over by a merger, links its Okta to the parent company’s Okta. A compromised account in the small company can lead to the app-admin becoming a super-admin and achieving full, unlimited access to the big company’s whole array of apps and services! All downstream apps can be affected, leading to impersonation, fraud and general damage.
- Mutable identity log spoofing – By changing their own name in the logs, a malicious actor can obfuscate their actions so that they are hidden under any cursory review, making it appear as if the illicit activity was done by someone else.
Okta has a great product and security practises but let’s take advantage of these discoveries. Don’t rely on default settings. Ensure you are aware of how you can strengthen your security in response to these types of attacks. Authomize has provided helpful mitigation tactics that are well worth reading at: https://www.authomize.com/blog/authomize-discovers-password-stealing-and-impersonation-risks-to-in-okta/
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days