Share this article on:
Permiso P0 Labs security researchers have tricked the Okta authentication app into giving a malicious user access to other users’ data and services.
The new exploit was developed by Permiso's P0 Labs security researchers, designed to leverage a flaw in the way Okta allows administrators to manage the identities of their users.
Using the technique, an Okta administrator can assign themselves or a third party the same access as an existing user that has already passed multi-factor authentication (MFA) checks such as the use of an app to enter a unique code, or a code texted to the user’s mobile.
By completing their own MFA check and then changing their details to emulate those of the target, an impersonator can access the other user's services without having to enter their password or complete another MFA check – providing access to services such as Google, Amazon Web Services, and Microsoft Azure cloud platforms.
Permiso threat researchers Ian Ahl and Nathan Eades explain that while the impersonator may have had to pass their own MFA check, they are not forced to provide an MFA verification again under the context of the impersonated user.
"Based on 'in the wild' detections Permiso has reviewed, this technique is being utilised for both benign and nefarious purposes."
While Okta is designed to keep users secure, it's not the first time the authenticator software has been hacked.
Earlier this year, Permiso revealed that hacking group LAPSUS$ had accessed an employee laptop for five days, potentially compromising around 2.5 per cent of a 15,000-strong customer base that includes the University of Technology Sydney, Baker’s Delight, REA Group, News Corp, Flinders University, Gilbert + Tobin, the Australian Red Cross, and others. Following an investigation into the incident, Permiso outlined the breach lasted just 25 minutes, which then led Okta to claim that the breach was a non-issue.
According to an Okta survey of 850 IT decision makers, however, the integrity of MFA systems is crucial to winning over the 86 per cent of companies that are still using usernames and passwords to authenticate their users. The data also found public sector organisations are "very interested" in stronger ways to authenticate their users and prevent cyber security compromises.
Cyber criminals have long leveraged the power of stolen credentials, as they are honeypots of sensitive information which can lead to compromised services.
Last week, password manager LastPass announced that it had been infiltrated by someone who compromised a legitimate software developer's account. The hacker had accessed parts of the company's software development environment and stole parts of LastPass' source code as well as "proprietary LastPass technical information".
This latest compromise highlights the ongoing challenges companies face in maintaining their reputation with customers. According to LastPass, the incident did not compromise any user password and there was "no evidence of any unauthorised access to customer data", but, as the latest of a series of security incidents involving the company, it was not a good look.
MFA systems have surged in popularity as new mobile apps enabled them to be used without forcing users to carry around separate hardware devices. Security researchers have worked tirelessly to find ways of compromising MFA systems, despite their generally strong security.
Speaking at the AusCERT conference, Jess Dodson, senior customer engineer for security and identity with Microsoft, explained that users are going to try to find the path of least resistance, and they will reuse passwords, pointing out that "MFA is important – and it shouldn't just be for your top-end users".
Dodson urged people to "just go and turn it on", noting that 99 per cent of identity-related breaches "can have their effectiveness reduced by having MFA".
"Brute forcing can't work if you have MFA.
"Even phishing attacks can't work well if you have MFA.
"So turning MFA on for everyone in your environment is one of the best things you can do to put zero trust in place," Dodson said.
[Related: Check Point Software to secure Intel Pathfinder RISC-V platform]