Researchers discover way to impersonate Okta user in popular cloud environments
Researchers on Monday reported discovering an impersonation technique in Okta that can cause an Okta Administrator to have themselves or someone else have elevated rights as an impersonated user in another application or environment such as Azure, the Google Cloud Platform, or AWS.
In a blog post, Permiso Security and ACV Auctions said, based on “in the wild” detections they reviewed, the impersonation technique is also an effective method of bypassing multi-factor authentication (MFA). While the impersonator may have had to pass their own MFA check, they are not forced to provide an MFA verification again under the context of the impersonated user. Ian Ahl, vice president of P0 Labs at Permiso explained how this would work:
“In Okta, you have your normal username that you log into Okta with, but you can also have application-specific usernames. The impersonation technique takes advantage of being able to have different application usernames. The attacker simply modifies the application username to be the identity they wish to impersonate. The attacker would then log on to the Okta portal with their normal identity (john@example.com) and then click on the AWS app, for example, which is now configured to (sally@example.com), allowing them to authenticate into AWS as Sally.”