Password-Leak — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/password-leak/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 29 Feb 2024 12:00:00 +0000Okta Password Entered in AlternateID Fieldhttps://feed.craftedsignal.io/briefs/2024-02-okta-password-alternateid/Thu, 29 Feb 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-okta-password-alternateid/Okta logs may contain user passwords if a user mistakenly enters their password into the username field during login, potentially exposing credentials in logs.Okta, a leading identity and access management provider, retains login attempt data in its system logs. This data can be valuable for security monitoring and incident response. However, a misconfiguration or user error can lead to sensitive information, such as passwords, being inadvertently captured within these logs. Specifically, if a user mistakenly enters their password in the username field (referred to as ‘alternateId’ in Okta logs) during a failed login attempt, the password may be stored in plain text within the log entry. This exposes the password to anyone with access to Okta system logs. This issue was highlighted in a Mitiga blog post, underscoring the risk to user data. Defenders must implement measures to detect and prevent such occurrences to maintain the confidentiality of user credentials and the overall security posture.

Attack Chain

  1. User attempts to log in to an Okta-protected application.
  2. The user mistakenly enters their password in the username (alternateId) field.
  3. The Okta authentication process fails due to incorrect credentials.
  4. Okta logs the failed login attempt, including the ‘core.user_auth.login_failed’ event.
  5. The password, entered in the alternateId field, is recorded in the Okta system log.
  6. An attacker gains unauthorized access to Okta system logs, potentially through compromised credentials or a misconfigured integration.
  7. The attacker searches for ‘core.user_auth.login_failed’ events and examines the ‘actor.alternateId’ field.
  8. The attacker discovers exposed passwords within the ‘actor.alternateId’ field, potentially enabling account takeover or further lateral movement.

Impact

A successful attack exploiting this vulnerability could lead to widespread credential compromise. The number of potentially affected users depends on how frequently users make this mistake and the duration for which logs are retained. Sectors heavily reliant on Okta for authentication, such as technology, finance, and healthcare, are particularly at risk. If passwords are leaked, attackers can gain unauthorized access to sensitive data, applications, and systems, leading to data breaches, financial loss, and reputational damage.

Recommendation

  • Deploy the provided Sigma rule “Okta Password Entered in AlternateID Field” to your SIEM to detect instances of passwords potentially being logged in the actor.alternateId field.
  • Review and adjust the regular expression in the Sigma rule’s filter_main section to align with the specific character restrictions in your Okta username configuration.
  • Implement stricter input validation on Okta login pages to prevent users from entering passwords in the username field.
  • Regularly audit Okta system logs for sensitive information and enforce least privilege access to log data.
  • Educate users about the proper use of login forms to reduce the likelihood of entering passwords in the username field.
  • Implement multi-factor authentication (MFA) to mitigate the impact of compromised passwords, as referenced in security best practices.
]]>highadvisoryattack.credential-accessattack.t1552oktapassword-leak