A post-exploitation attack method has been uncovered that allows adversaries to read cleartext user passwords for Okta, the identity access and management (IAM) provider — and gain far-ranging access into a corporate environment.
Researchers from Mitiga discovered that the IAM system saves Okta user passwords to audit logs if a user accidentally types them in the "username" field when logging in. Threat actors who have gained access to a company's system can then easily harvest them, elevate privileges, and gain access across multiple enterprise assets that use Okta, the researchers said.
"In our research, we could easily use the logs to match the password with the valid user, resulting in gaining credentials to the Okta user account," Okta senior security researcher Doron Karmi and principal security researcher and developer Or Aspir wrote in the post. When adversaries login to Okta as those users, it "expands the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems," they wrote.
The vulnerability exists because Okta audit logs supply detailed information about user activity, including usernames, IP addresses, and login timestamps. The logs also provide insights into successful and unsuccessful login attempts and whether they were performed via Web browser or mobile app.
In Defense of Okta Features
Okta is a cloud-based enterprise-grade IAM service that connects enterprise users across applications and devices and is used by more than 17,000 customers globally. While it was built for cloud-based systems, it also is compatible with many on-premises applications.
Representatives from Okta conf ..
Support the originator by clicking the read the rest link below.
