Okta notified its customers that the cross-origin authentication feature in its Customer Identity Cloud is now prone to being targeted by threat actors conducting credential stuffing attacks.
In a May 28 notification to its customers, Okta said it observed endpoints used to support the credential stuffing attacks for “a number” of its customers.
The large identity vendor explained that in this type of attack, threat actors sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches, or from phishing or malware campaigns.
Ted Miracco, chief executive officer at Approov, said that frequent admissions of vulnerabilities by identity and access management (IAM) providers like Okta will undoubtedly affect user confidence, but also may accelerate improvements in security practices such as a migration away from passwords and other inadequate technologies across the industry.
“Okta's disclosure mirrors how companies like Google handle zero-day vulnerabilities,” said Miracco. “It should be seen as a responsible move in that transparency about vulnerabilities and proactive communication are critical. However, patching will only partially close the vulnerability, and we need to enforce strong MFA and rate limiting to add extra layers of security beyond just passwords.”
Jason Soroko, senior vice president of product at Sectigo, said in this case, cross-origin authentication lets third-party websites authenticate users without redirecting them. However, it's susceptibility to attacks puts user credentials at risk.
“Organizations must scrutinize tenant logs for unusual login patterns and promptly rotate credentials while considering disabling the vulnerable feature,” explained Soroko. “The reporting on this incident does seem to mirror a more reactive, rather than proactive, cybersecurity measure. Security teams must treat this with the urgency it deserves.”
Ken Dunham, cyber threat director at Qualys, added that IAM has arguably become the most targeted category by all threat actor types, with credential stuffing as a very common tactic.
Dunham said organizations are highly encouraged to harden IAM apps against multiple tactics of abuse, especially credential stuffing, to ensure multiple layers of proactive controls to lower risk against attack from multiple threat actors eager to intrude and exploit.
“Don't let threat actors be your IAM auditor,” said Dunham. “Move beyond complex password basics to harden your authentication of users and accounts to ensure you're not the next breach victim in the news.”
Okta offered some recommendations for how to best protect users from credential-stuffing attacks:
Long-term fix: Enroll users in passwordless, phishing-resistant authentication. Use passkeys as the most secure option. Passkeys are included on all Auth0 plans from Okta’s free plan through Enterprise.
Medium-term mitigations: Prevent users from deploying weak passwords. Require a minimum of 12 characters and no parts of the user name. Block passwords found in the Common Password List.
