A significant security flaw has reportedly been detected in identity and access management powerhouse Okta‘s platform which could have given threat actors access to user login credentials, and ultimately access to any resources or applications they use.
Cybersecurity researchers from Mitiga found that in some cases, Okta presented user passwords (opens in new tab) in audit logs, stored in plain text. Thus, should an unauthorized third party gain access to those logs, they’d be given the keys to the kingdom. The researchers described this as a post-exploitation attack method.
Every login attempt is logged, the researchers explain. Sometimes, people mistakenly type in their password into the username field, which obviously results in a failed login attempt. However, as everything’s logged, this gets logged, too, with the password being shown in plain text.
MFA to the rescue
Okta also keeps other sensitive data in the logs, as well, the researchers found. Besides usernames, that includes IP addresses and login timestamps. Furthermore, the logs show if the login attempt was successful or not, and whether it was done via a web browser or a mobile app.
To mitigate the risk, Mitiga says, the best course of action is to set up multi-factor authentication (MFA). While the method is not foolproof, it will significantly lower the chances of threat actors using audit logs to compromise accounts.
After reaching out to Okta, the company confirmed Mitiga’s findings but played down the importance, saying admins are the only ones with access to the audit logs, and these should be trusted individuals, by default.
“Okta has reviewed the reported issue and confirmed that it is expected behavior when users mistakenly enter their password in the username field,” the company said. “Okta logs failed login attempts and includes the erroneous username in the logs. These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities.”
“Additionally, Okta recommends enforcing phishing-resistant multi-factor authentication to further enhance the security of the Okta platform. By default, MFA is enforced when accessing the Okta Admin console. A bad actor would not be able to access the admin console without providing additional factors for login. Similarly, admins can set up an Authentication Policy that requires additional MFA when logging in to specific applications, which would further restrict what actions a bad actor can perform.”
