Cyber Security

‘Password extraction risk’ in identity provider Okta disputed

Security researchers claim to have uncovered serious security shortcomings in the systems of identity provider Okta.

Identity and access management specialist Authomize went public with four supposed vulnerabilities following an inconclusive disclosure process.

The vulnerabilities “grant threat actors with app admin privileges the ability to extract clear text passwords, impersonate any downstream user, and impersonate anyone in the hub or another spoke,” according to Authomize.

However, Okta remains unconvinced about the seriousness of these supposed flaws, telling The Daily Swig it has no plans to issue security updates in response to Authomize’s research. Users with any lingering concerns have the option to rachet up their default security settings, Okta advised.

Gal Diskin, CTO and co-founder of Authomize, said it was “working closely with Okta on improving the security of their customers.

“While we might disagree with their decision not to assign CVEs for our findings, the crucial point for us is that they are taking them seriously and that we are collaborating with them based on mutual professional respect,” he told The Daily Swig.

Diskin went on to claim that exploiting the flaws would not be difficult for even a modestly skilled attacker.

“If you have the right privileges/configuration [then you], and anyone with even limited technical skills, can carry out this exploitation,” he said.

Distin continued: “Attackers may use these flaws to: steal passwords for all employees, escalate privileges to super-admin, build persistent hidden backdoors, compromise all downstream apps to perform doxing, impersonation, theft, or for ransom purposes.

“Attackers can use super-admin privileges to perform destructive attacks against downstream apps connected to any IdP [identity provider],” he added.

Underground chatter

Asked directly, Authomize admitted it had no evidence of real world exploitation of the flaws it discusses. The security consultancy nonetheless argues that exploitation might have occurred “under the radar”.

“There have been certain unexplained password and username leaks that may end up being traced back to these issues,” Distin told The Daily Swig. “We’ve also heard from partners in threat intelligence firms that they see identity systems being widely discussed as targets in cybercriminal forums.”

Potential for wider threat

Authomize reckons the security shortcomings it unearthed are particular to Okta – rather than being a generic issue that also affects other identity providers.

Distin told The Daily Swig: “From our research, it does not appear that other IdPs are similarly at risk.”

“That being said, there are certain attacks inherent to any IdPs such as impersonation via upstream IdPs, username manipulations in downstream apps, and various other misconfigurations that our research suggests requires persistent monitoring,” they concluded.

Advertisement. Scroll to continue reading.

Okta, however, told The Daily Swig that the issues uncovered by Authomize are not particular to itself and can be addressed by following industry best practice.

“Authomize reached out to Okta with the technical details of their blog post,” Okta told The Daily Swig. “After thorough review, our determination is that the listed items are not unique to Okta and that applying security best-practices will mitigate any risks found with the items in the blog.

“Okta customers who want to increase the security of their organization can utilize our online product documentation to apply the most secure settings,” it added.

Source: https://portswigger.net/daily-swig/password-extraction-risk-in-identity-provider-okta-disputed

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version