Audit logs may expose plaintext passwords to Okta administrators.
What failed login attempts reveal about password compromise.
Researchers at Mitiga describe a potential post-exploitation attack method in Okta’s single sign-on (SSO) solution that could be used to obtain passwords from Okta audit logs.
User mistakes can log plaintext passwords.
The researchers explain that if users mistakenly enter their password into the username field of Okta’s login portal, the password will be stored in plaintext in the logs of failed login attempts:
“As part of Mitiga’s ongoing SaaS threat hunting activities, we analyzed the Okta audit logs for both successful and failed login attempts. We found that Okta's audit logs supply detailed information about user activity, including usernames, IP addresses, and login timestamps. In addition, the logs provide insight into whether login attempts were successful or unsuccessful, and whether they were performed via a web browser or a mobile app. In our analysis, we discovered that passwords were present in the username field of failed login attempts. This is a concerning finding, as passwords should never be present in plain text in any type of log.”
Okta responded to Mitiga’s findings, noting that these logs should only be visible to Okta administrators:
“Okta has reviewed the reported issue and confirmed that it is expected behavior when users mistakenly enter their password in the username field. Okta logs failed login attempts and includes the erroneous username in the logs. These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities.”
Mitiga adds, however, that this information is sometimes forwarded to SIEM solutions, so organizations should be aware that other administrators in the organization may have access to these logs.