{"id":163867,"date":"2024-05-30T06:54:49","date_gmt":"2024-05-30T06:54:49","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=163867"},"modified":"2024-05-30T06:54:51","modified_gmt":"2024-05-30T06:54:51","slug":"okta-credential-stuffing-cross-origin-authentication","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/163867\/cyber-crime\/okta-credential-stuffing-cross-origin-authentication.html","title":{"rendered":"Okta warns of credential stuffing attacks targeting its Cross-Origin Authentication feature"},"content":{"rendered":"
<\/div>\n

Identity and access management firm Okta warns\u00a0of credential stuffing attacks targeting the Customer Identity Cloud (CIC) feature.<\/h2>\n\n\n\n

Okta warns\u00a0of credential stuffing attacks<\/a> targeting its Customer Identity Cloud (CIC) feature since April.<\/p>\n\n\n\n

A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.<\/gwmw><\/p>\n\n\n\n

The identity and access management firm observed suspicious activity that started on April 15.\u00a0<\/p>\n\n\n\n

The advisory published by the company states that the attacks targeted the endpoints supporting the cross-origin authentication feature, the attacks hit several customers. <\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

“Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks.” reads advisory<\/a>. “For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers.”<\/gwmw><\/p>\n\n\n\n

Cross-Origin Resource Sharing (CORS)\u00a0(opens new window)<\/a>is a mechanism that allows a web page to make an AJAX call using\u00a0XMLHttpRequest (XHR)\u00a0(opens new window)<\/a>. Use XHR to call a domain that is different than the domain where the script was loaded. Such cross-domain requests would otherwise be forbidden by web browsers as indicated by the\u00a0same origin security policy\u00a0(opens new window)<\/a>. CORS defines a\u00a0standardized\u00a0(opens new window)<\/a>way in which the browser and the server can interact to determine whether to allow the cross-origin request.<\/gwmw><\/p>\n\n\n\n

The company notified the targeted customers that have this feature enabled, it also recommends disabling targeted URLs if they are not in use.<\/gwmw><\/p>\n\n\n\n

Okta recommends reviewing suspicious activity from April 15 forward, it suggests reviewing the following log events:<\/p>\n\n\n\n