Okta Impersonation Technique Could be Utilized by Attackers

A typical procedure at Okta may be misused for evil ends. If a person gets married, changes her last name, and adopts a new email address, for example, the acceptable way for altering credential details within Okta can be abused by an attacker to impersonate another active user.

Cloud identity company Permiso has investigated the possibility. The first motivation came from a Permiso customer who recognised the possibility but was curious about how a criminal act may be discovered. Abusing the procedure is difficult but not impossible. It calls for either an Okta super administrator’s or an application administrator’s login information, as well as the capacity to get beyond any MFA that has been set up if necessary. Read More…