Identity and access management giant Okta has warned customers of an ongoing credential stuffing attack on one of its tools and suggested users disable it or adopt a range of measures to stay safe.
An announcement from the company noted that hackers have been abusing the cross-origin authentication feature in Customer Identity Cloud (CIC) for several weeks to conduct credential stuffing attacks.
“Okta has determined that the feature in Customer Identity Cloud (CIC) is susceptible to being targeted by threat actors orchestrating credential stuffing attacks,” the announcement said. “As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and assess potentially suspicious activity and proactively send notifications to customers.”
Filling the login page
Okta Customer Identity Cloud is a comprehensive identity and access management (IAM) platform designed to manage and secure customer identities. Cross-origin resource sharing (CORS), which is being exploited, is a security mechanism that allows web applications running on one origin (domain) to request resources from a server on another origin.
Finally, a credential stuffing attack occurs when hackers “stuff” an online login page with numerous credentials obtained elsewhere in an attempt to break into various accounts.
With CORS, customers add JavaScript to their websites and applications, sending authentication calls to the hosted Okta API, BleepingComputer explains. However, the feature only works if clients grant access to the URLs from which cross-origin requests can be made.
So if these URLs are not actively used, they should be disabled, Okta said.
Those interested in seeing if their infrastructure has already been targeted should check their logs for ‘fcoa’, ‘scoa’ and ‘pwd_leak’ events, which are evidence of cross-origin authentication and login attempts. If the tenant is not using cross-origin authentication, but the logs show fcoa and scoa events, an attempt was made to fill the credentials.