SSO Exploits: Okta SSO + Push
Exploit Type: AitM, Session Hijack
Login Factors: Password, Push
What happened?
An adversary sets up a phishing proxy server that looks and behaves exactly like an SSO login page. This proxy will capture all information coming in and out of the server.
A victim is phished into visiting the malicious site and enters their username and password, and successfully completes the Push prompt.
Because the victim authenticated through the phishing proxy, the adversary steals the username, password, and also the session cookie for the application that was authenticated into. The adversary can use the stolen credentials to perform malicious actions such as an account takeover, data theft, or further lateral movement within the network.
Why is this an exploit?
If a victim is lured into visiting a phishing site, then Push as a second factor won't offer any additional defense. The login request is accepted by the real authentication server from the adversary's phishing server, and the login experience is the exact same for the end user. The end user is still relying and trusting that their experience is legitimate.
Neither the victim nor the system administrator is notified as stolen, but legitimate, credentials are used to access the system.
How do you prevent this from happening?
Use phish-resistant MFA with origin validation. The authentication server should accept requests coming only from legitimate domains, and not malicious domains. Even if a user falls for phishing, your authentication service should prevent any and all unsafe access.
Also, consider removing Push from your authentication protocol as it is known to be a phishable login factor.
Check out how Beyond Identity's phish-resistant MFA prevents this exploit from happening.