Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks. – Read more at https://www.darkreading.com/application-security/okta-exposes-passwords-clear-text-theft

Identity services provider Okta is facing serious security flaws, researchers contend, that could easily let an attacker gain remote access to the platform, extract plaintext passwords, impersonate users of downstream applications, and alter logs to hide any evidence they were ever there.

“Following the news of the Okta breach earlier this year, we focused our efforts on understanding what sorts of actions a malicious actor could do if they achieved even a minimal level of access within the Okta platform,” Authomize CTO Gal Diskin said in the team’s security analysis this week. Diskin explained Okta’s architecture for password synching allows potential malicious actors to access passwords in plaintext, including admin credentials, even over encrypted channels. To do so, the attacker would need to be signed into the system as an app admin of a downstream app (examples include customer service agents or financial operations teams) — from there, the person could reconfigure the System for Cross-domain Identity Management (SCIM) to nab passwords for any Okta user in the organization.

~Article by Dark Reading Staff


  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.