Okta says it’s adding greater protections to what hackers are increasingly seeing as a sweet internet hall pass: the session cookie.
The authentication vendor’s post-breach remediation step—to bind session cookies to network location—is one valuable way to potentially stop an attacker from hijacking sessions and fast-passing through security. The add-on demonstrates concern for an increasingly popular break-in tactic that offers instant access.
“The biggest threat that I see facing the industry is session-cookie theft, because it completely invalidates all the security controls that we’re putting in place up front to try to authenticate users to applications,” Jason Rebholz, CISO at Corvus Insurance, told IT Brew. “They’re basically just cutting in line and going straight around all your defenses and getting straight to the ultimate objective of getting access to your organization.”
What happened? According to a Nov. 3 post by Okta, a threat actor hijacked the Okta customer-support portal by gaining access to an HTTP archive file known as a HAR, or HTTP Archive. The log is essentially a flight recording of everything happening on the browser, said Rebholz, including active session cookies that gave attackers access to the support portal for Okta customers.
Infostealing is up. The stored session credentials like usernames, passwords, and associated URLs can be siphoned by malware and information stealers, which threat researchers are seeing a lot more of. A June report from the cybersecurity firm Flare revealed a “surge of infostealer variants.” After examining more than 19.6 million stealer logs, the team discovered that at least 1.91% contained credentials to popular business applications.
It’s binding. To address the threat of session-token theft against Okta admins, the company announced the product-enhancement measure of binding session cookies to network location: “Okta administrators are now forced to reauthenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal,” wrote David Bradbury, Okta chief security officer, in the post.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Authentication has it all. Identity providers are often a company’s entire authentication apparatus, which makes them an attractive target for hackers. In September 2023, Okta told TechTarget that attackers used social engineering to compromise its casino customers Caesars and MGM.
“Frequently, the identity providers..they’re all the authentication for that organization. So a compromise [at] Okta can give an attacker access to many organizations and many different parts of organizations, potentially,” said David Manning, offensive security director at Presidio.
Okta’s binding measure assigns the device to the person logging in and makes sure that they stay the same through all their active sessions, Rebholz told IT Brew, who called the measure a “personal favorite” in his weekly Weekend Byte newsletter.
“Right now, there is almost no support for token-binding in any application. So, for Okta, they’re really one of the first that I’ve personally seen that is making this more broadly available even in a subset,” said Rebholz.
In an October preview, Microsoft announced token-protection features that tie identity to the device. Google has shown interest in the feature, but abandoned development plans in 2018.
“If you can just literally flip a switch in Okta and put in this imperfect, but very practical session-binding solution, you’re going to almost, not completely eliminate, but you’re going to largely mitigate the risk of this type of attack impacting your Okta administrators at least,” said Rebholz.