SaaS security alert: Okta Classic sign-on policy bypass

What Happened?

In late September 2024, Okta discovered a flaw affecting Okta Classic configurations, which allowed attackers with legitimate credentials to bypass certain application-level sign-on conditions. These conditions could involve specific policies related to device types, network zones, or authentication methods outside of global policies. The vulnerability was introduced during a software update in mid-July 2024 and was present until early October 2024.

‍

Exploiting this issue required:

1. The attacker having valid login credentials
2. The use of application-specific sign-on policies
3. The attacker using an “unknown” device type

Okta released a fix for this vulnerability on October 4, 2024.

‍

What Can I Do?

If your organization was using Okta Classic after July 17, 2024, you should take the following steps to confirm your system wasn’t compromised:

‍

Review Okta System Logs to identify any successful logins from devices flagged as “unknown” between July 17 and October 4, 2024. Okta provided the following query to search for this activity:

‍

*outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso"*

‍

Look for unusual patterns such as:

• Successful logins from unknown devices prior to mid-July, which may indicate legitimate access
• Failed login attempts just before a successful authentication, as this could indicate credential-based attacks (like password spraying)

‍

Search for anomalies like:

• Unexpected geolocations, IP addresses, or times of access
• Access from different networks or new device types

‍

Focus on applications with fixed policy rules, including commonly used services like Microsoft Office 365 and Radius, as these applications may be particularly vulnerable.

‍