Security News > 2023 > March > A common user mistake can lead to compromised Okta login credentials

A common user mistake can lead to compromised Okta login credentials
2023-03-23 13:24

Logged failed logins into a company's Okta domain could be used by threat actors to discover access credentials of valid accounts, Mitiga researchers have found.

Those credentials can then be used log in to any of the organization's platforms that use Okta single sign-on or - if the login credentials belong to an administrator - to gain privileged access to other systems or restricted network areas.

This method for finding valid Okta credentials hinges on attackers' ability to access and/or read Okta audit logs.

"These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities," Okta told the researchers.

"We confirmed with Okta that if the logs from Okta are shipped to the company SIEM solution or if third-party services integrate with Okta with some administrative permissions, the logs can be seen by people that are not Okta administrators," Karmi and Aspir told Help Net Security.

The researchers have created a SQL query for SIEM solutions that matches failed login attempts with a password pattern to subsequent successful login attempts, and can be used to detect users credentials accidentally stored in Okta audit logs.


News URL

https://www.helpnetsecurity.com/2023/03/23/discover-valid-okta-credentials/