March 27, 2023

According to Mitiga, Okta’s login system contains a simple error that could expose its users to future attacks.

Users are inadvertently typing their passwords into the username field during login. As a result, information from failed login attempts is stored in plain text in audit logs that track user behavior on the network. Mitiga discovered that this information is easily accessible and could be shared with third-party security vendors for Okta customers, potentially allowing attackers to compromise Okta user accounts and access any resources or applications they may have access to.

Mitiga discovered that attackers could potentially read users’ passwords and credentials stored in Okta audit logs. Furthermore, audit logs provide detailed information about user activity, such as usernames, IP addresses, and login timestamps. The logs also reveal whether login attempts were successful or unsuccessful, as well as whether they were made through a web browser or a mobile app.

Passwords were also found in the username field of failed login attempts. Hence, an attacker could attempt to log in as a user on any of the organization’s platforms that use Okta single sign-on (SSO). Furthermore, in the case of exposed administrator passwords, this information could be used to escalate privileges.

To gain access to user information, the attacker only needs to be able to read Okta audit logs. For example, an attacker with access to the SIEM product’s logs could steal user credentials.

Third-party services that integrate with Okta, such as CSPM products, could also request a “Read-only” Administrator role, which would allow them to read environment information, including audit logs. If those services or products are breached during a supply-chain attack, attackers can steal Okta users’ credentials.

The sources for this piece include an article in Axios.