OKTA recently experienced a supply chain attack, and this hack affected some of its customers, including Cloudflare and 1Password. The hackers exploited a vulnerability in Okta’s customer support system, which allowed them to access files uploaded by customers for troubleshooting purposes. These files contained sensitive information, such as session cookies and tokens, that could be used to impersonate user accounts on Okta and other services12.
One of the CVE numbers associated with this incident is CVE-2022-0778, which is a denial-of-service vulnerability in Okta’s RADIUS Server Agent. This vulnerability could allow an attacker to send specially crafted packets to the agent and cause it to crash3. Another CVE number is CVE-2021-44228, also known as “Log4Shell”, which is a critical remote code execution vulnerability in the Apache Log4j library. This vulnerability could allow an attacker to execute arbitrary commands on the server by sending malicious log messages4. Okta said it patched both vulnerabilities and found no evidence of exploitation.
The hackers tried to break into 1Password using the session tokens stolen from Okta’s support system. However, 1Password said it detected and terminated the suspicious activity within minutes, and found no compromise of user data or other sensitive systems. 1Password also said it uses hardware security keys that prevent phishing attacks, and that its user data is encrypted with strong encryption algorithms25. 1Password revealed the minor breach on October 23rd, nearly a month after detecting it2.
The OKTA hack occurred when an unknown hacker used a stolen authentication token to access Okta’s customer support system. This token was likely obtained from a previous breach of Okta’s internal network or from a phishing attack on an Okta employee. The hacker then viewed files uploaded by some of Okta’s customers for troubleshooting purposes. These files contained HTTP Archive (HAR) data, which recorded the browser activity and interactions of the customers. The HAR data included session cookies and tokens that could be used to log in to Okta and other services without needing passwords or two-factor authentication123.
The hacker then used the stolen session tokens to target some of Okta’s customers, such as Cloudflare, 1Password, and BeyondTrust. The hacker tried to access their systems and data through Okta’s single sign-on technology. However, the hacker was detected and blocked by the security measures of these companies, such as hardware security keys, encryption, and anomaly detection456. The hacker did not manage to compromise any user data or sensitive systems of these companies.
Okta said it patched the vulnerabilities that allowed the hacker to access its support system and revoked the embedded session tokens. Okta also notified the affected customers and advised them to sanitize their credentials and cookies before sharing HAR files1. Okta disclosed the breach on October 20th, 2023, after investigating it for several weeks2.