Researchers have discovered a post-exploitation attack method in Okta enables threat actors to read users’ passwords in Okta audit logs.
Okta is a popular identity and access management company with over 17,600 customers, including Major League Baseball, Zoom and Hewlett Packard.
Researchers developed a post-exploitation technique that illustrates how passwords for Okta users could be exposed if they enter it into the username field. The risk of exposure comes from the way Okta records failed login attempts, which stores the username in Okta audit logs as plain text. If a user then enters their credentials successfully, both the username and password have been exposed for a potential attacker to exploit.
The research included a response from Okta, which confirmed failed login attempts are included in the logs but said audit logs are only accessible to Okta administrators. However, Okta audit logs are often forwarded to centralized security solutions, such as a SIEM, saying other users who are not administrators could read the logs.
In addition to SIEMs, cloud security posture management (CSPM) software that are integrated with Okta may request “read-only” administrator roles, which include the ability to read audit logs. If those services are breached, an attacker can steal the Okta users’ credentials.
Organizations can use a SIEM or analytics platform to find where their logs are stored, and a SQL query has been created by the researchers to help companies to identify potential exposures. Multifactor authentication is an effective way to enhance security against the exploit
Consumers who accidentally type their passwords into the username field can immediately change their password, and a password manager will protect users from making the mistake in the first place.
This research was documented by researchers from Mitiga.