Okta: Vulnerability in Verify gives attackers access to passwords
Attackers can exploit a vulnerability in the Windows agent in Okta's Verify device access control software to steal passwords.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There is a security vulnerability in the Okta Verify Agent for Windows device access control software that allows attackers to steal passwords. A security update is now available. IT managers should distribute the update promptly.
Okta discusses in a security advisory that the Okta Verify Agent for Windows provides access to the OktaDeviceAccessPipe, allowing attackers who already have access to vulnerable systems to capture passwords belonging to Okta's Desktop MFA Passwordless Logins (CVE-2024-9191, CVSS 7.1, risk"high"). This may allow extended access to the system or other network resources.
Okta vulnerability affects Windows computers
The vulnerability only affects the Agent for Windows, and the "Device Acess Passwordless" function must be enabled. Where the function is not used and only "FastPass" is used or on other operating systems, the security-relevant error is not present, the manufacturer confirms.
Videos by heise
Okta Verify for Windows from version 5.0.2 up to and including 5.3.2 is vulnerable. Okta recommends updating to the corrected version Okta Verify for Windows 5.3.3. The early access version has been available since mid-September, the release notes indicate October 18 for the release, while the security advisory dated October 25 indicates general availability. As Okta classifies the vulnerability as high risk, admins should quickly distribute the update of the device access control software in their networks.
Okta came into the spotlight around a year ago when criminals broke into its systems and accessed data from all customers who had used Okta's support. In initial statements, the company said that only data from 134 customers had been copied.
(dmk)
