It was designed to protect against password theft, but security researchers have tricked the ubiquitous Okta authentication app into giving a malicious user access to other users’ data and services – on the same day as popular password manager LastPass was hacked again.
Developed by threat researchers within P0 Labs – an arm of security firm Permiso dedicated to developing new ways to compromise cloud-based services – the new exploit exploits a flaw in the way Okta allows administrators to manage the identities of their users.
Using the technique, the team warns, an Okta administrator can assign themselves or a third party the same access as an existing user that has already passed multi-factor authentication (MFA) checks such as the use of an app to enter a unique code, or a code texted to the user’s mobile.
By completing their own MFA check and then changing their details to emulate those of the target, an impersonator can access the other user’s services without having to enter their password or complete another MFA check – providing access to services such as Google, Amazon Web Services (AWS), and Microsoft Azure cloud platforms.
“While the impersonator may have had to pass their own MFA check, they are not forced to provide an MFA verification again under the context of the impersonated user,” Permiso threat researchers Ian Ahl and Nathan Eades explained.
“Based on ‘in the wild’ detections Permiso has reviewed, this technique is being utilised for both benign and nefarious purposes.”
An online demonstration shows how the researchers were able to access another user’s Google Workspace services – including email, Google Drive, and so on – while another illustrates how impersonation can be used to access another user’s AWS services.
It’s not the first time Okta has been compromised: earlier this year, the firm admitted that hacking group LAPSUS$ had accessed an employee laptop for five days, potentially compromising around 2.5 per cent of a 15,000 strong customer base that includes the University of Technology Sydney, Baker’s Delight, REA Group, News Corp, Flinders University, Gilbert+Tobin, the Australian Red Cross, and others.
Further examination later led the company to clarify that the breach lasted just 25 minutes, leading Okta to claim that the breach was a non-issue.
Facing the trust challenge
Yet in an industry whose entire purpose is to better protect customer applications, trust is hard fought and harder won.
The integrity of MFA systems is crucial to winning over the 86 per cent of companies that are still using usernames and passwords to authenticate their users, according to an Okta survey of 850 IT decision-makers that found public sector organisations very interested in stronger ways to authenticate their users and prevent cyber security compromises.
Yet the power of stolen credentials has long seen cyber criminals looking for ways to compromise such services, which have become honeypots of sensitive information.
Password manager LastPass, for its part, last week announced that it had been infiltrated by someone who compromised a legitimate software developer’s account, accessing parts of the company’s software development environment and stealing parts of its source code as well as “proprietary LastPass technical information”.
The incident did not compromise any user password and there was “no evidence of any unauthorised access to customer data”, the company said – but as the latest of a series of security incidents involving the company, this latest compromise highlights the ongoing challenges companies face in maintaining their reputation with customers.
Despite their generally strong security, researchers have worked tirelessly to find ways of compromising MFA systems – which have surged in popularity as new mobile apps enabled them to be used without forcing users to carry around separate hardware devices.
“Users are going to try to find the path of least resistance, and they will reuse passwords,” Jess Dodson, senior customer engineer for security and identity with Microsoft, told this year’s AusCERT conference, pointing out that “MFA is important – and it shouldn’t just be for your top-end users.”
“Just go and turn it on,” she said, noting that 99 per cent of identity related breaches “can have their effectiveness reduced by having MFA.”
“Brute forcing can’t work if you have MFA. Even phishing attacks can’t work well if you have MFA. So turning MFA on for everyone in your environment is one of the best things you can do to put zero trust in place.”