Delinea, a leading provider of solutions that extend Privileged Access Management, acquires Authomize. Learn More

Authomize Blog

3 Lessons Learned from Attacks on Okta Super Admins

Discover the latest Okta security incident, learn about identity federation abuse, and find out how to protect your Okta environment. Explore the risks and solutions.

06/09/2023 • Gabriel Avner

Read more

Authomize Open Sources MFA Bombing Training Tool

Explore Authomize’s new open source training tool designed to raise awareness and enhance resilience against MFA Bombing attacks.

31/05/2023 • Gabriel Avner

Read more

Misconfiguration Expose Okta Master Passwords

Authomize’s Security Research Lab has released a new report outlining misconfiguration risks for Okta users that can lead to the theft of cleartext Okta master passwords and compromise of all cleartext passwords post-exploitation with a “living off the land” technique utilizing the Okta SWA (password manager) functionality.

23/05/2023 • Gabriel Avner

Read more

Extending Identity Security Visibility for Azure AD Identity Protection

Your ability to properly assess your risk is directly correlated to the breadth and depth of your intelligence. 
For security teams seeking to protect against identity-based threats, they need to be able to answer basic questions like…

09/03/2023 • Gabriel Avner

Read more

OpenITDR is Open for Business: New Open Framework for the ITDR Community

Authomize, the Identity Threat Detection and Response Platform, announced today the launch of the OpenITDR Framework Initiative.

01/03/2023 • Gabriel Avner

Read more

5 Signs of an Identity Attack

Identity attacks are increasing and putting organizations’ data at risk. Look out for these 5 warning signs of an identity attack: stale accounts, user impersonation, lateral movement…

16/02/2023 • Gabriel Avner

Read more

Trust but Verify — How to Secure Identity Provider Trust Relationships

Despite their best intentions, organizations find themselves contending with all too common admin sprawl throughout their apps and environments, leaving them with far more admins than they can handle securely…

02/02/2023 • Gabriel Avner

Read more

Authomize Research on Post-Holiday Account Takeovers

Discover the motives and behavior of cyber criminals and how to protect yourself with Authomize’s Identity Threat Detection and Response (ITDR) platform.

26/01/2023 • Gabriel Avner

Read more

Okta’s Source Code Stolen in GitHub Breach

Okta’s source code was stolen in a breach of their GitHub repos, marking the 2nd significant attack on this critical IAM provider. Read how to secure your Okta with ITDR.

21/12/2022 • Gabriel Avner

Read more

Tackling the Rise of Insider Threat Risk After the Great Resignation

Earlier this month, the team over at security firm Kroll released its “Q3 Threat Landscape: Insider Threat the Trojan Horse of 2022” report on the rise in insider threat…

30/11/2022 • Gabriel Avner

Read more

Authomize is the ITDR Platform

Authomize announced today that we are the Identity Threat Detection and Response (ITDR) Platform. If you missed our Press Release on the announcement, take a moment to check it out…

15/11/2022 • Gabriel Avner

Read more

Integrating Authomize ITDR with Microsoft Sentinel SIEM

In response to the expanding threat surface facing identities, interoperability between identity and access management (IAM) and security operations is now understood to be a must for organizations in defending their cloud environments…

08/11/2022 • Steven Riley

Read more

3 Steps to Take to Get Started with Identity Threat Detection and Response (ITDR)

Following the new Gartner research report around Identity Threat Detection and Response (ITDR) we suggest 3 steps that help organizations get started with protecting their IAM layer from identity threats.

24/10/2022 • Maya Malevich

Read more

A Graph is Worth a Thousand Investigations: Authomize’s Graph Explorer Enables Unparalleled Access Visibility and Control

We here at Authomize have released an updated Access Explorer that gives security teams the highly detailed view of access to their assets that makes it easy to investigate and resolve incidents.

13/09/2022 • Yuval Inchi

Read more

Authomize Discovers PassBleed Password Stealing and Impersonation Risks in Okta

Organizations depend on their Identity Providers for managing their identities and access to their apps and services, using them as their trusted management solution for everything from Single Sign-On and Multi-Factor Authentication to directory services and provisioning access.

19/07/2022 • Gabriel Avner

Read more

Okta Customers Exposed to Risk of Password Theft and Impersonation in PassBleed Attacks

Authomize’s Security Research Lab has uncovered a set of inherent risks in the popular Identity Provider Okta that leave users exposed to potential compromise and exploitation..

• Gabriel Avner

Read more

Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations


Authomize’s Security Research Lab has uncovered a set of inherent risks in the popular Identity Provider Okta that put users at risk of potential compromise and exploitation.

According to Authomize’s CTO and Co-founder Gal Diskin, the risky security exposure is a flawed yet intentional design that opens the door to exploitation, and not simply a coding mistake. 

“Our team discovered this risky architecture during the course of our research into Identity Providers,” says Diskin. “Following the news of the Okta breach earlier this year, we focused our efforts on understanding what sorts of actions a malicious actor could do if they achieved even a minimal level of access within the Okta platform.” 

“As we laid out in our technical write up of these major operational risks,” he says, “We were very surprised to find that Okta’s architecture for password synching creates a situation where an actor can simply pull out passwords in clear text, even over unencrypted channels (HTTP), and including the passwords of more senior admins.”  

Authomize has disclosed all of our findings to Okta and are working with their team to help resolve these security concerns. 

In their response to Authomize’s responsible disclosure, Okta has stated that they do not believe these security issues to be vulnerabilities, but functions working according to their intended design and expected inherent risks.

Our Findings

  1. Extract clear text passwords of all employees in the organization

    Okta makes it very easy to manage passwords across their platform. Unfortunately in this case, their focus on usability appears to have negative security implications. 

    Authomize’s researchers have documented that a malicious actor with app admin privileges, defined as a delegated person responsible for managing single applications, can extract the passwords of any user in the organization. This includes super-admins which can lead to escalation of privileges.

    All in clear text.

    The key feature at issue here is in Okta’s password synchronization where an attacker can redirect the syncing of the passwords, which are stored and shared in clear text, to their SCIM server. 

    You can see Diskin’s POC of this exploitation here in this video and watch how the passwords pop up for the successful attacker.


  2. Passwords and Sensitive Data Shared Over Unencrypted Channels (HTTP)

    While not the focus of our initial research following the breach, Diskin’s team quickly discovered Okta is sending sensitive data, including passwords, over the insecure HTTP channel.

    If exploited, an attacker could “sniff” a wide range of data that is being transferred. Unlike the previous example though, the attacker would get the full firehose of data being sent over the channel, and not just specific targeted bits and bytes.

    Best practices calls for using encrypted channels like HTTPS that make it harder for an attacker to carry out a Man in the Middle attack.

  3. Hub & Spoke Configuration Allows Sub-org Admins to Compromise Accounts in the Hub or Other Spokes Downstream

    Okta offers a useful Hub and Spoke architecture that makes it easy to scale up control of your organization from the hub by adding spokes for smaller segments or departments while ideally keeping them securely separated from one another.

    However, according to Diskin’s research, when using the default configuration, an attacker can impersonate any downstream user in the downstream application(s) that they administer with their minimal level of app admin privileges. They can also impersonate users from other spokes, circumventing the intended protections of the hub and spoke architecture.
    Furthermore, a malicious actor can add spokes by impersonating a compromised admin, giving them persistence. This activity is difficult to detect as no traces of the impersonation are left in the downstream application and you need to know what to look for in Okta during a deeper forensic dive to uncover evidence.

  4. Mutable Identity Log Spoofing

    Most of the logging features in Okta are vulnerable to mutable identity techniques, enabling attackers to appear to be another user, doing mischief and having someone else take the blame unless a deeper investigation is performed.

    Taken as a stand alone issue, this log spoofing is not dangerous on its own. However, when used to cover up the evidence of malicious actions, it can make it more difficult for investigators to identify wrong doing. 

    Note also that app admin privileges are not required for this activity.


Following our research, we have come to the following conclusions:

For a full breakdown of all the details of our research with more in-depth analysis, please read our technical post here.

Our Solution and Closed Beta

Authomize’s team is working to offer our current and future customers a security solution to mitigate these risks. 

As part of this solution, we will be offering a free assessment tool that will allow companies to determine whether their Okta is misconfigured, leaving them exposed to these security risks. 

The tool will also detect whether an attacker utilized these risks in an attempt to exploit the organization. 

Along with this assessment tool, we are working on a closed beta solution that will: 

We are working with a selected set of customers and design partners to develop this product together. 

For more information on our FREE ASSESSMENT or the Closed Beta, please contact us today.

FREE Risk Assessment

Join our FREE Assessment to: