Researchers go public after vendor disputes impersonation threat
UPDATED Security researchers claim to have uncovered serious security shortcomings in the systems of identity provider Okta.
Identity and access management specialist Authomize went public with four supposed vulnerabilities following an inconclusive disclosure process.
The vulnerabilities “grant threat actors with app admin privileges the ability to extract clear text passwords, impersonate any downstream user, and impersonate anyone in the hub or another spoke,” according to Authomize.
However, Okta remains unconvinced about the seriousness of these supposed flaws, telling The Daily Swig it has no plans to issue security updates in response to Authomize’s research. Users with any lingering concerns have the option to ratchet up their default security settings, Okta advised.
Gal Diskin, CTO and co-founder of Authomize, said it was “working closely with Okta on improving the security of their customers”.
“While we might disagree with their decision not to assign CVEs for our findings, the crucial point for us is that they are taking them seriously and that we are collaborating with them based on mutual professional respect,” he told The Daily Swig.
Diskin went on to claim that exploiting the flaws would not be difficult for even a modestly skilled attacker.
“If you have the right privileges/configuration [then you], and anyone with even limited technical skills, can carry out this exploitation,” he said.
Diskin continued: “Attackers may use these flaws to: steal passwords for all employees, escalate privileges to super-admin, build persistent hidden backdoors, compromise all downstream apps to perform doxing, impersonation, theft, or for ransom purposes.
“Attackers can use super-admin privileges to perform destructive attacks against downstream apps connected to any IdP [identity provider],” he added.
Asked directly, Authomize admitted it had no evidence of real world exploitation of the flaws it discusses. The security consultancy nonetheless argues that exploitation might have occurred “under the radar”.
“There have been certain unexplained password and username leaks that may end up being traced back to these issues,” Diskin told The Daily Swig. “We’ve also heard from partners in threat intelligence firms that they see identity systems being widely discussed as targets in cybercriminal forums.”
Potential for wider threat
Authomize reckons the security shortcomings it unearthed are particular to Okta – rather than being a generic issue that also affects other identity providers.
Diskin told The Daily Swig: “From our research, it does not appear that other IdPs are similarly at risk.”
“That being said, there are certain attacks inherent to any IdPs such as impersonation via upstream IdPs, username manipulations in downstream apps, and various other misconfigurations that our research suggests requires persistent monitoring,” they concluded.
Okta, however, told The Daily Swig that the issues uncovered by Authomize are not particular to itself and can be addressed by following industry best practice.
“Authomize reached out to Okta with the technical details of their blog post,” Okta told The Daily Swig. “After thorough review, our determination is that the listed items are not unique to Okta and that applying security best-practices will mitigate any risks found with the items in the blog.
“Okta customers who want to increase the security of their organization can utilize our online product documentation to apply the most secure settings,” it added.
On Tuesday, Okta published a blog post summarizing its response to Authomize's research that offers advice to customers on how to secure their environments.
This story has been updated to add a link to Okta's blog post.