Identity and access management giant Okta warned customers about an ongoing credential stuffing attack against one of its tools and suggested users disable it or apply a set of mitigations to stay safe.
A company announcement noted how hackers have been abusing the cross-origin authentication feature in Customer Identity Cloud (CIC) to mount credential stuffing attacks for several weeks.
“Okta has determined that the Customer Identity Cloud (CIC) feature is prone to attack by threat actors orchestrating credential stuffing attacks,” the announcement said. “As part of our Okta Secure Identity Commitment and our commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers.”
Fill out the login page
Okta Customer Identity Cloud is a comprehensive identity and access management (IAM) platform designed to manage and protect customer identities. Overused, Cross-Origin Resource Sharing (CORS) is a security mechanism that allows web applications running on one origin (domain) to request resources from a server on a different origin.
Finally, the credential stuffing attack occurs when hackers “stuff” an online login page with countless credentials obtained elsewhere, in an attempt to access different accounts.
With CORS, customers add JavaScript to their websites and applications, which sends authentication calls to the hosted Okta API. beepcomputer Explain. However, the feature only works when clients grant access to URLs from which cross-origin requests can be created.
Therefore, if these URLs are not actively used, they should be disabled, Okta said.
Those interested in seeing if their infrastructure has already been attacked should check their logs for “fcoa,” “scoa,” and “pwd_leak” events, which are evidence of cross-origin authentication and login attempts. If the tenant is not using cross-origin authentication but the logs show fcoa and scoa events, then a credential stuffing attempt has been made.