In recent days, it has become clear how a hack on Okta has major implications for it’s customers. The stolen data allows cybercriminals to log into customers’ systems. In addition, it shows once again how vulnerable our digital identities are.
Earlier this week, Okta reported that data was stolen from its customer service solution. However, the data that was captured contains highly sensitive data, which cybercriminals can now use to access systems of Okta’s customers.
Okta is a so-called identity and access management (IAM) solution, a competitor of, Microsoft (Azure) Active Directory. Okta manages the address book of companies that includes all employees and their login credentials. As soon as an employee tries to log in somewhere, that session is checked by Okta. So it’s a crucial component in a corporate network. This system, however, was not hacked.
Smart hack on customer service solution
The system that did get hacked was the customer service solution, the cyber criminals used phishing to get user credentials. The hack on the customer service solution turned out to be very smart.
As with all software solutions, sometimes things go wrong, and as an organization, you need support. For example, to figure out why something is not working correctly in a browser session. In these cases you contact support, this also applies to Okta’s customers.
With problems such as those described earlier, it is often easiest if the customer service representative can replicate the problem. If the customer support agent can experience the problem for themselves they can find a solution faster. Okta often requests a so-called HTTP Archive (HAR) file be uploaded. These files contain browser history, sessions and cookies. This allows the customer service representative to recreate what the user is trying to do and analyse where it goes wrong.
Access to sessions and cookies
Hackers managed to gain access to Okta’s customer service system and were able to download the customer supplied HAR files. The cybercriminals searched all those HAR files for sessions and cookies and are now trying to use them to gain access to customers’ systems.
Companies like 1Password and Cloudflare have already disclosed that they have detected malicious activity traceable to HAR files at Okta. Chances are that this is just the tip of the iceberg.
Okta states that it usually recommends deleting all cookies and session tokens in HAR files before sharing them. This probably does not happen often, as customers seek a solution to their problem, and Okta is a trusted vendor.
Vulnerability of online authentication
It ultimately took several weeks for Okta to realize exactly what happened. Okta customers saw much earlier how malicious attempts were made to login into systems or when they got in they tried to modify their permissions, which still caught them. Okta has contacted all customers who provided HAR files that may have been downloaded by the criminals.
More important about this story is that it shows how vulnerable online authentication is. Once cybercriminals manage to gain access to sessions and cookies, they can mimic the customer’s browser session and gain access to all sorts of online systems. Some SaaS providers have additional safeguards for this, but many do not.
Passkeys make token theft impossible
A while ago we wrote about Passkeys, which should prevent cybercriminals from being successful with phishing campaigns by making passwords unnecessary. Although Passkeys do not work with passwords, they do work with so-called hashes to enable a login linked to specific domains. The good thing about Passkeys, however, is that those hashes are stored in a password manager, and that password manager must be unlocked using biometric security that, in turn, is stored in a special chip on a physical device. For example, a Windows laptop with a TPM module or an Android smartphone or iPhone. As a result, these cannot simply be captured. However, websites will have to start offering more support for Passkeys and stop using session cookies.
Read more: What are Passkeys? Removing the human element from authentication
2 days ago
