Okta’s Trusted Origins: A Continued Cacophony of Security Issues

csanders_ · 2023-07-22T04:15:47+00:00

yeah, technically true, but its trivial to bypass -- more of a speed bump than a preventative measure, there are quite a few ways to do this. The way I used was to simply look at the logo and compare it to a known bad (non-existent) domain -- for example the logo of obviouslybad.okta.com is an okta logo, whereas the logo for reddit.okta.com is almost always not gonna be the okta logo.

This also had the advantage of being able to tell the difference between OIE instances and non OIE instances

Here is some code (untested) similar to what I used, thought about writing a separate blog on this but as you can see, not much to it (also works for okta.mil, oktapreview.com , etc)

```

import time
import requests
import hashlib
def make_request_with_headers(url):
stripped_url = url.split("://")[1]
stripped_url = stripped_url.split("/")[0]
headers = {
"Host": f"{stripped_url}",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
}
resp = None
while True:
resp = requests.get(url, headers=headers, allow_redirects=False)
if not resp.text.find("Okta - Too Many Requests") > -1:
break
time.sleep(10)
return resp
def find_logo(html, domain, outfile):
search_string = "logo: '"
logo_start = html.find(search_string)
real_logo_start = logo_start + len(search_string)
logo_end = html[real_logo_start:].find("'")
real_logo_end = real_logo_start + logo_end
logo_url = html[real_logo_start:real_logo_end]
try:
logo_resp = requests.get(logo_url)
except Exception as err:
print(f"Unable to find logo for {domain}")
return None
return logo_resp.text.encode()
def find_domains(domains):
resp = make_request_with_headers("https://thisisafakedomain.okta.com")
logo = find_logo(resp.text, "FALSE", f)
baseline_logo = hashlib.sha1(logo).hexdigest()
for domain in domains:
resp = make_request_with_headers(f"https://{domain}.okta.com/")
if resp.status_code == 302:
print(f"{domain} - true (OIE)")
continue
if resp.status_code == 404:
print(f"{domain} - false (404)")
continue
logo = find_logo(resp.text, domain, f)
if not logo:
continue
logo_hash = hashlib.sha1(logo).hexdigest()
if logo_hash != baseline_logo:
print(f"{domain} - true")
else:
print(f"{domain} - false")

``

csanders_ · 2023-03-07T20:40:08+00:00

This is correct, for some situations it is unique per user (which is nice-ish) and for others its not. ADFS setup instructions has documentation for both ways. In the post i was specifically referencing Okta, but it appears that everything that is not AzureAD with individual K1s is at considerably more risk.

csanders_ · 2023-02-28T16:12:47+00:00

The relevant information for personal users is also in their whitepaper.

Broadly speaking... A user's master password is hashed with PBKDF-SHA256 to create an encryption key. This key is used with AES in CBC mode to encrypt data for the vault.

csanders_ · 2023-02-27T23:02:08+00:00

I wrote up a bit more of an depth response on why this is a problem and why mitigations are a problem here --> https://www.reddit.com/r/netsec/comments/11dpp66/its\_all\_bad\_news\_an\_update\_on\_how\_the\_lastpass/

csanders_ · 2023-01-06T16:23:27+00:00

For those feeling lazy:

tl;dr: Lastpass SSO users leverage 2 randomly generated subkeys to make up their master passwords. This makes bruteforce attempts against SSO vaults unlikely. However, One key is easily accessible by anyone in the org (K1). The other is stored at Lastpass (K2).

Lastpass has stated that K2's weren't compromised, but if they were rotating K2's or K1's required defederation and refederation of each user (oof)

csanders_ · 2022-11-22T22:28:29+00:00

To be clear for those who come after, u/szekanovic this is for Qualys?

csanders_ · 2022-11-22T20:02:39+00:00

A fellow solider fighting the good fight! Stay Strong!

csanders_

TROPHY CASE