Researchers at Authomize have discovered four “high impact” security risks in the identity and access management (IAM) platform Okta, according to a Tuesday report.
The risks include cleartext password leakage via SCIM – the System for Cross-domain Identity Management – sharing of passwords and other data over unencrypted HTTP channels, default configurations which allow admins to invade other organizations’ IT environments, and mutable identity log spoofing.
Attackers who take advantage of these risks could steal authentication data, access sensitive personal and financial information and disrupt Okta-managed IT environments.
The Risks in IAM
IAM software organizes which individuals have access to which resources in an IT environment. Platforms like Okta also offer features like password management and single sign-on, allowing users to more seamlessly login and move from one software environment to another. In all, IAMs are quite convenient for users and administrators alike.
However, an insecure IAM is convenient for attackers for many of the same reasons. The newly discovered risks in Okta could allow hackers or malicious insiders to obtain passwords, take over administrator accounts, or even destroy an entire organization’s data.
Take, for example, the third risk outlined in the report.
For global and distributed organizations, Okta utilizes a hub and spoke architecture, where the parent company (“hub”) oversees and provides services for the smaller independent businesses (“spokes”) it controls. What the researchers discovered is that an admin in an Okta spoke “can impersonate any account in the hub and/or a downstream app connected to the hub.” The report lays out how this might occur, hypothetically:
A small company was acquired by a large Fortune 500. The corporation connected the small company’s Okta as a spoke to their main Okta which acts as their hub with the default configuration. A compromised admin from the acquired company’s spoke gains super admin privileges throughout their Okta hub by impersonating a super admin, and therefore achieves full, unlimited access to the corporate’s entire collection of apps and services.
The small company’s administrator could access other businesses’ IT environments – including the one belonging to the large Fortune 500 itself – to steal or destroy sensitive data, or leverage the data to do just about anything else.
Are These Vulnerabilities?
The researchers were careful to characterize their findings as “risks,” rather than outright vulnerabilities. When they reached out to Okta, Okta explained that “the features are performing as designed and should not be categorized as vulnerabilities.” How could that be?
Consider our earlier example. The small company admin can obtain unauthorized access to the hub and other spokes by creating a user with the same identifier as an admin in the hub. That two users in a giant hub and spoke environment can have the same username “is intentional and meant to make it easier to scale access controls across the organization while limiting the scope of control to a specific spoke.” However, in practice, they expose the hub to any rogue admin.
Okta offers a way to turn off username duplication, but “these controls are not set by default, making the user potentially insecure from the initial settings. Okta also does little in their guide to explain to their users that they may be at significant risk from these insecure default settings.”
“Okta has very good security practices in many areas,” the researchers noted, adding that “we are sure similar issues exist in other IAM providers.” So, in concluding their study, “our recommendation is that organizations take a proactive approach to implement independent security solutions for their IAM tools.”