Identity, Vulnerability Management

Post-exploitation attack method exposes Okta passwords


A post-exploitation attack method in Okta enables adversaries to read users’ passwords in Okta audit logs, according to researchers.

Mitiga researchers developed a post-exploitation technique that illustrates how passwords for Okta users could be exposed if they enter it into the username field. The risk of exposure comes from the way Okta records failed login attempts, which stores the username in Okta audit logs as plain text. If a user then enters their credentials successfully, both the username and password have been exposed for a potential attacker to exploit, according to the research posted Thursday.

Okta is a popular identity and access management company with over 17,600 customers, including Major League Baseball, Zoom and Hewlett Packard, according to its website. 

Mitiga’s research included a response from Okta, which confirmed failed login attempts are included in the logs, but said audit logs are only accessible to Okta administrators. 

However, Mitiga said Okta audit logs are often forwarded to centralized security solutions, such as a security information and event management solution (SIEM), saying other users who are not administrators could read the logs. 

In addition to SIEMs, cloud security posture management (CSPM) software that are integrated with Okta may request “read-only” administrator roles, which include the ability to read audit logs. If those services are breached, Mitiga researchers Doron Karmi and Or Aspir wrote, an attacker can steal the Okta users’ credentials.

Organizations can use a SIEM or analytics platform to find where their logs are stored, and Mitiga created a SQL query to help companies to identify potential exposures.

Multifactor authentication is an effective way to enhance security against the exploit, Karmi and Aspir wrote, with the caveat that MFA is not fool-proof.

For Delinea’s Tony Goulding, any exposure of information in plain text is a concern that should be addressed.

But Keeper Security’s Zane Bond said he doesn’t think the post-exploitation method revealed by Mitiga will rise to the level of needing to disrupt current processes or force security teams to solve the issue. 

Bond said that consumers who accidentally type their passwords into the username field can immediately change their password, and a password manager will protect users from making the mistake in the first place.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.