A security flaw has been found in Okta's identity and access management platform that could give unauthorized third parties access to user login credentials, according to cybersecurity researchers from Mitiga, reported by TechRadar.
The researchers discovered, in some instances, user passwords were presented in plain text within audit logs. This could allow cybercriminals access to sensitive data, such as IP addresses, usernames, and login timestamps.
If the login attempts were successful, the threat actors could ultimately gain access to any resources or applications users have.
Post-Exploitation Attack Method
Mitiga referred to this security issue as a post-exploitation attack method. It was explained that every login attempt is logged, and sometimes users mistakenly type in their password into the username field, resulting in a failed login attempt.
Even this failed attempt is recorded in the audit logs, and the password is displayed in plain text.
The researchers recommend using multi-factor authentication (MFA) to reduce the chances of threat actors exploiting audit logs to compromise accounts.
However, Okta stated that only the company's administrators had access to the audit logs and that they were trusted individuals. Okta suggested that multi-factor authentication could further enhance the platform's security and protect against phishing attacks.
"Okta has reviewed the reported issue and confirmed that it is expected behavior when users mistakenly enter their password in the username field," the company said in a statement with TechRadar.
"Okta logs failed login attempts and includes the erroneous username in the logs. These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities."
Read Also : Lapsus$ Hacking Group Behind the Okta Security Breach is Run by a 16-Year-Old Teenager From England
Phishing-Resistant Multi-Factor Authentication
To further boost the security of the Okta platform, the company advises imposing phishing-resistant multi-factor authentication. It notes that MFA is required by default to use the Okta Admin console.
Without supplying additional login credentials, a malicious actor could not access the admin console.
Administrators can also set up an Authentication Policy that requires additional MFA to log into particular applications, further limiting the actions a malicious user can take.
The security vulnerability could still be concerning, as Okta stores highly sensitive information in its logs, which could be a target for cybercriminals.
The company assures its clients that it has reviewed the issue and is taking the necessary steps to address it. Nevertheless, this issue highlights the importance of implementing security measures such as MFA to prevent unauthorized access and protect sensitive data.