Okta Verify Vulnerability Disclosure Report - Response and Remediation

Okta

Summary

Okta has confirmed and remediated a reported Okta Verify vulnerability. No action is needed by customers, and outside of the original proof of concept Okta did not identify any evidence of attempts to exploit this vulnerability. As part of our recent Okta Secure Identity Commitment, we are communicating this remediation to customers in the spirit of transparency.

Response

On April 5th, Okta received a report from a researcher at Persistent Security of a potential vulnerability in Okta Verify that detailed bypassing phishing resistance checks. Upon receipt, we initiated our vulnerability disclosure process, and upon further investigation, it was discovered that an adversary could bypass the phishing-resistant property of Okta Verify FastPass given certain parameters.

On April 8th, Okta’s Engineering team successfully identified the root cause within Okta’s backend code and created a mitigation plan. It’s important to note that the root cause did not reside within the Okta Verify application.

Vulnerability

The details of the vulnerability are as follows.

In a phishing-resistant challenge involving a CUSTOM_URI and SSO Extension, if the user:

  1. only offers user verification or an approved consent prompt and additionally

  2. the origin header is missing, the logic returns “true”, as the authorization intention was to approve transactions only if a user-approved consent accompanied the missing origin header.

However, we incorrectly assumed that the presence of a missing origin header and an approved user verification (or approved consent prompt) was equal to a verified phishing resistance. To correct this, we have implemented an additional verification step to confirm that a valid origin header is present before then confirming phishing resistance. Going forward, this measure ensures that the transaction is valid and secure.

On April 9th, the fix was deployed to a development cell, and validated as effective. We then applied a hotfix to a production cell, and following an additional successful validation, the fix was rolled out to all remaining production cells on April 10th and to staging cells on April 11th. This hotfix remediated the vulnerability, with no customer follow-up action needed.

That said, this reported vulnerability does highlight the importance of comprehensive threat models, as well as the role that manual testing can still play in developing secure components. Okta would like to thank Nikos Laleas and Giuseppe Trotta from the Persistent Security Industries (PSI) Team for bringing this exploit to our attention, as well as their commitment to responsible disclosure.

Timeline

Apr 5, 2024 - Persistent Security contacts Okta with report

Apr 6, 2024 - Okta Security validates the findings

Apr 8, 2024 - Okta discovers root cause

Apr 9, 2024 - Okta deploys fix to development environment

Apr 9, 2024 - Okta validates fix

Apr 10, 2024 - Fix deployed to Production

Apr 11, 2024 - Fix deployed to Preview

Okta