Adversaries could read Okta user passwords from failed login attempts in the firm’s audit logs if they accessed the latter, says research by cloud-incident-response company Mitiga.
With a net worth of $13.6 billion and more than 17,000 customers globally, Okta is among the largest providers of authentication services and identity and access management solutions in the world. It’s not without flaws, though, as new research demonstrates.
Mitiga, an Israeli cloud incident response company, says it has found a new potential post-exploitation attack method in Okta that enables adversaries to read users’ passwords that are in the Okta audit logs.
“This knowledge can then allow adversaries to login as those users, expanding the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems.The adversary only needs the ability to read the Okta audit logs to fetch users’ credentials,” the company said in the report.
Mitiga added it could easily use the logs to match a password with the valid user, resulting in gaining credentials to that Okta account. Researchers found passwords in most of its customer logs, including those of users with administrator roles that can perform actions on other users.
Obviously, being able to read the Okta audit logs is something not easily done, and the company has stressed this in its response to Mitiga’s findings.
After reviewing the reported issue, Okta confirmed that it was quite common for users to mistakenly enter their password in the username field on the login page, and that the company logs failed attempts.
But the firm added: “These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities.”
However, Mitiga said Okta audit logs could still be accessible because “security-mature companies forward their Okta logs to their SIEM [Security Information and Event Management] provider.” This means the logs are accessible to other people who are Okta admins.
For example, “attackers running as a compromised user which has permissions to read the logs in the SIEM, can harvest users’ credentials and try to log in as a high-permission user in the organization,” Or Aspir, cloud security research team leader at Mitiga, told Cybernews.
Besides, the way Okta records failed login attempts seems unsafe. “In our analysis, we discovered that passwords were present in the username field of failed login attempts. This is a concerning finding, as passwords should never be present in plain text in any type of log,” Mitiga said.
“Even if you are assigned with a ‘Read-only Administrator’ role, it doesn’t mean you should have the ability to see users’ passwords,” Aspir told Cybernews.
Highway to hell of data theft
By knowing the emails and passwords of users, a threat actor can try to log in as those users to platforms that use Okta single sign-on. This information could also be used to escalate privileges in the case of exposed administrator passwords, Mitiga said.
Aspir insists this is dangerous. He said his team fetched “tens and even hundreds of user passwords in only one month of logs,” and “anyone with the ability to read the logs can potentially log in as the users whose passwords are in the logs.”
What’s more, multifactor authentication (MFA) wouldn’t necessarily alleviate the risk – attackers can try to bypass it through various methods. For example, attackers can use phishing ruses to trick users into providing their MFA credentials.
In 2020, a series of phishing attacks already targeted Okta customers, aiming to steal their MFA credentials. The attackers used various social engineering techniques to trick users into providing them, including fake Okta login pages and phishing emails.
Mitiga also mentioned so-called MFA fatigue: users can become frustrated with multiple requests and start approving them without verifying if they were legitimate. Quite obviously, attackers can take advantage of this by sending a flood of MFA push notifications in a short timeframe.
“With access to the Okta logs, a threat actor could potentially wait for the perfect timing to trigger MFA to circumvent it, by monitoring a user’s login pattern and sending the MFA push [notification] within a few seconds after a genuine successful login, to make the action look legitimate to the user,” said Mitiga.
More from Cybernews:
Subscribe to our newsletter