Expel stated that PoisonSeed has discovered a intelligent sleight of hand to bypass this important step. Because the consumer enters the username and password into the pretend Okta website, a PoisonSeed workforce member enters them in actual time into an actual Okta login web page. As Thursday’s publish went on to clarify:
Within the case of this assault, the dangerous actors have entered the right username and password and requested cross-device sign-in. The login portal shows a QR code, which the phishing website instantly captures and relays again to the consumer on the pretend website. The consumer scans it with their MFA authenticator, the login portal and the MFA authenticator talk, and the attackers are in.
This course of—whereas seemingly difficult—successfully bypasses any protections {that a} FIDO key grants, and provides the attackers entry to the compromised consumer’s account, together with entry to any purposes, delicate paperwork, and instruments such entry gives.
How FIDO makes such assaults unimaginable
The top consequence, the safety agency stated, was an adversary-in-the-middle assault that tampered with the QR code course of to bypass FIDO MFA. As famous earlier, writers of the FIDO spec anticipated such assault methods and constructed defenses that make them unimaginable, at the very least within the kind described by Expel. Had the focused Okta MFA course of adopted FIDO necessities, the login would have failed for at the very least two causes.
First, the machine offering the hybrid type of authentication must be bodily shut sufficient to the attacker machine logging in for the 2 to attach over Bluetooth. Opposite to what Expel stated, this isn’t an “a further safety function.” It’s obligatory. With out it, the authentication will fail.
Second, the problem the hybrid machine must signal can be certain to the area of the pretend website (right here okta[.]login-request[.]com) and never the real Okta.com area. Even when the hybrid machine was in shut proximity to the attacker machine, the authentication would nonetheless fail, for the reason that URLs don’t match.
What Expel appears to have encountered is an assault that downgraded FIDO MFA with some weaker MFA kind. Very probably, this weaker authentication was just like these used to log in to a Netflix or YouTube account on a TV with a telephone. Assuming this was the case, the one that administered the group’s Okta login web page would have needed to intentionally select to permit this fallback to a weaker type of MFA. As such, the assault is extra precisely categorised as a FIDO downgrade assault, not a bypass.
