Okta Classic Application Sign-On Policy Bypass

On September 27, 2024, a vulnerability was identified in specific Okta configurations whereby ​​an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies. These conditions could include use of network zones, device-type restrictions or authentication requirements set outside of the Global Session Policy. After investigation, we determined that this vulnerability was introduced as part of a release that occurred on July 17th, 2024.

If the vulnerability was exploited, unauthorized access to applications associated with the application sign-on policies could be obtained. Exploitation of the vulnerability required all of the following conditions:

The use of a user-agent Okta evaluates as an “unknown” device type (for example Python scripts and uncommon browser types)

Customers who were on Okta Classic as of July 17, 2024, and who meet the above conditions are advised to review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as “unknown” between July 17, 2024 and October 4, 2024 using the following query: outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso"

Leave a Comment