‘Password extraction risk’ in identity provider Okta disputed

by | Jul 20, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Security researchers claim to have uncovered serious security shortcomings in the systems of identity provider Okta.

Identity and access management specialist Authomize went public with four supposed vulnerabilities following an inconclusive disclosure process.

The vulnerabilities “grant threat actors with app admin privileges the ability to extract clear text passwords, impersonate any downstream user, and impersonate anyone in the hub or another spoke,” according to Authomize.

However, Okta remains unconvinced about the seriousness of these supposed flaws, telling The Daily Swig it has no plans to issue security updates in response to Authomize’s research. Users with any lingering concerns have the option to rachet up their default security settings, Okta advised.

Gal Diskin, CTO and co-founder of Authomize, said it was “working closely with Okta on improving the security of their customers.

“While we might disagree with their decision not to assign CVEs for our findings, the crucial point for us is that they are taking them seriously and that we are collaborating with them based on mutual professional respect,” he told The Daily Swig.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Diskin went on to claim that exploiting the flaws would not be difficult for even a modestly skilled attacker.

“If you have the right privileges/configuration [then you], and anyone with even limited technical skills, can carry out this exploitation,” he said.

Distin continued: “Attackers may use these flaws to: steal passwords for all employees, escalate privileges to super-admin, build persistent hidden backdoors, compromise all downstream apps to perform doxing, impersonation, theft, or for ransom purposes.

“Attackers can use super-admin privileges to perform destructive attacks against downstream apps connected to any IdP [identity provider],” he added.

 

Underground chatter

 

Asked directly, Authomize admitted it had no evidence of real world exploitation of the flaws it discusses. The security consultancy nonetheless argues that exploitation might have occurred “under the radar”.

“There have been certain unexplained password and username leaks that may end up being traced back to these issues,” Distin told The Daily Swig. “We’ve also heard from partners in threat intelligence firms that they see identity systems being widely discussed as targets in cybercriminal forums.”

Potential for wider threat

 

Authomize reckons the security shortcomings it unearthed are particular to Okta – rather than being a generic issue that also affects other identity providers.

Distin told The Daily Swig: “From our research, it does not appear that other IdPs are similarly at risk.”

“That being said, there are certain attacks inherent to any IdPs such as impersonation via upstream IdPs, username manipulations in downstream apps, and various other misconfigurations that our research suggests requires persistent monitoring,” they concluded.

Okta, however, told The Daily Swig that the issues uncovered by Authomize are not particular to itself and can be addressed by following industry best practice.

“Authomize reached out to Okta with the technical details of their blog post,” Okta told The Daily Swig. “After thorough review, our determination is that the listed items are not unique to Okta and that applying security best-practices will mitigate any risks found with the items in the blog.

“Okta customers who want to increase the security of their organization can utilize our online product documentation to apply the most secure settings,” it added.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: portswigger.net

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This