New Post-Exploitation Attack Method Found Affecting Okta Passwords

Written by

A new post-exploitation attack method has been discovered that enables potential attackers to read users’ passwords and credentials in the audit logs of software by enterprise identity solution provider Okta.

The method was uncovered by forensic experts Mitiga and discussed in an advisory published by the team earlier today.

“Adversaries with access to Okta audit logs, whether obtained directly through the admin console or through other systems where logs are shipped, could read Okta users’ passwords if they had been input incorrectly in the username field during login,” wrote Okta security researchers Doron Karmi and Or Aspir.

From a technical standpoint, the flaw derives from the way the Okta system records failed login attempts to instances.

“While it may seem like an edge case, this kind of password mistake is a common one for users. As a result, it poses a risk to many Okta customers,” reads the report.

Karmi and Aspir warned that information obtained in such a way could allow threat actors to compromise Okta user accounts and access resources or applications that they may have access to, effectively expanding the attack’s potential impact.

“By knowing the credentials of users, an attacker can try to log in as those users to any of the organization’s different platforms that use Okta single sign-on (SSO). Also, this information could be used to escalate privileges in the case of exposed administrator passwords,” the researchers added.

Read more on SSO security here: Initial Access Broker Activity Doubles in a Year

The advisory also suggested that potentially affected organizations review the use of their log analytics platform or SIEM (security information and event management) where the Okta logs are stored.

“This type of security risk can occur in any organization that uses Okta for identity and access management,” Karmi and Aspir wrote. “We have created a SQL query that can help companies identify these potential password exposures.”

Further, the security researchers recommended that companies use multi-factor authentication (MFA), implement access controls and monitoring options in SIEM, and educate end-users.

In response to Mitiga’s disclosure, Otka confirmed the validity of the exploitation method and provided additional recommendations for mitigating potential attacks based on it.

The Mitiga advisory comes months after Group-IB security researchers unveiled information about a phishing campaign targeting Okta identity credentials and connected 2FA codes.

Editorial image credit: T. Schneider /

What’s hot on Infosecurity Magazine?