Spoofing Okta users w/ Kerberos (for fun and profit) Skip to main content
https://support.okta.com/help/blogdetail?id=a67f0000000xzhkiag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fblogdetail
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Spoofing Okta users w/ Kerberos (for fun and profit)

Sep 20, 2015 | by Thomas Hill in Security

Original Author: Christopher Niggel, Sr. Manager, Security and Compliance, Okta

This weekend I received a call from our corporate security director - a user had sent him a screenshot showing someone else's Okta dashboard, and reported they could click on a chiclet and access Google Apps as that user.  This was not good.  Support tickets were filed, logs were pulled, and Okta & LinkedIn teams spent their Sunday investigating the issue.  After many log reviews, interviews, and tests, we identified the following event timeline:

- Bob (who reported the issue) had an expired Kerberos ticket-granting-ticket on his Mac laptop.  Late on Friday afternoon, he called helpdesk for assistance with a broken application

- Alice (our fearless helpdesk tech) visited his desk, and uninstalled / reinstalled the affected application.  This caused an authentication event, where she used her own credentials

- OSX silently used Alice's credentials to refresh the Kerberos TGT, creating it under her ID  (visible using klist)

- Bob closed his laptop and went home for the weekend

- After a nice brunch, Bob opened his laptop at home Saturday afternoon and connected to the corporate VPN

- Bob went to our Okta site.  Because he was on the VPN and had a valid TGT, he followed the Kerberos login flow

- Bob was logged into Okta as Alice

We were able to reproduce this timeline in the lab, and are deploying controls that can prevent this from happening again:

1. We have sent new instructions to our helpdesk techs to ask the user to enter their credentials into any installation auth request

2. If the helpdesk tech must use their credentials, run a kdestroy before they finish working on a system

3. Deploy multi-factor authentication on critical applications, so if a user does access a "spoofed" Okta account, they can't view confidential data

 

I hope that helps anyone else out there in Mac/Kerberos land!

Comments