Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs.
Okta, a leading identity and access management provider, recently announced patching a critical security vulnerability affecting its Classic product. The flaw, which could allow attackers to bypass application-specific sign-on policies, originated in a July 17, 2024 update and remained exploitable until the issue was patched on October 4, 2024.
The vulnerability, now addressed in Okta’s production environment, could have allowed unauthorized access to applications by bypassing key security controls, including device-type restrictions, network zones, and certain authentication requirements.
However, Okta confirmed that the vulnerability only affected organizations using Okta Classic, and exploitation was contingent on a combination of factors, limiting the scope of the vulnerable systems.
What Happened?
Okta identified the vulnerability on September 27, 2024, and after an internal investigation, determined that it had originated from a software update rolled out on July 17, 2024. The issue was specific to Okta Classic and impacted organizations that had configured application-specific sign-on policies, especially those that relied on device-type restrictions or additional conditions outside the platform’s Global Session Policy.
According to Okta’s security advisory, an attacker would need to meet several conditions to carry out a successful attack. First, the attacker needed access to valid credentials—either through phishing, credential stuffing, or brute-force attacks. Second, the organization had to be using application-specific sign-on policies.
Lastly, the attacker had to be using a device or script that Okta evaluated as an “unknown” user-agent type, which might evade detection by standard device-type restrictions. Once these conditions were met, the attacker might have bypassed sign-on policies that typically require additional layers of authentication or device verification.
Okta has provided specific search recommendations that administrators can use to identify potential exploit attempts in their logs. This includes looking for unexpected successful authentication events where the device type was flagged as “unknown.” Okta also advised customers to search for unsuccessful authentication attempts, which could indicate credential-based attacks preceding a successful login.
Additionally, organizations were encouraged to monitor for deviations in user behaviour, such as unfamiliar IP addresses, geolocations, or access times that could signal unauthorized activity.
Expert Commentary
Piyush Pandey, CEO of identity and access security provider Pathlock, provided insight into the broader implications of such vulnerabilities. Speaking with HackRead.com, Pandey emphasized the importance of rigorous access risk analysis and compliant provisioning of users.
“Automated password management alone is insufficient to secure unauthorized regulated application access risk,” Pandey said. “By focusing on stringent access risk analysis and the compliant provisioning of users, including rigorous management of third-party identities and access, organizations can significantly bolster their security posture, safeguard sensitive data, and ensure compliance with regulatory requirements. This proactive approach protects customer data and trust and enhances overall resilience.
Pandey’s comments highlight the need for organizations to go beyond basic password management and embrace a more comprehensive approach to identity security, especially given the increasing sophistication of cyberattacks.
Organizations affected by this vulnerability are encouraged to follow Okta’s detailed guidance to ensure no unauthorized access occurs during the timeframe in question and to adopt stronger access management practices moving forward.