Expel stated that PoisonSeed has discovered a intelligent sleight of hand to bypass this important step. Because the consumer enters the username and password into the pretend Okta web site, a PoisonSeed staff member enters them in actual time into an actual Okta login web page. As Thursday’s put up went on to elucidate:
Within the case of this assault, the unhealthy actors have entered the right username and password and requested cross-device sign-in. The login portal shows a QR code, which the phishing web site instantly captures and relays again to the consumer on the pretend web site. The consumer scans it with their MFA authenticator, the login portal and the MFA authenticator talk, and the attackers are in.
This course of—whereas seemingly sophisticated—successfully bypasses any protections {that a} FIDO key grants, and offers the attackers entry to the compromised consumer’s account, together with entry to any purposes, delicate paperwork, and instruments such entry offers.
How FIDO makes such assaults unimaginable
The tip end result, the safety agency stated, was an adversary-in-the-middle assault that tampered with the QR code course of to bypass FIDO MFA. As famous earlier, writers of the FIDO spec anticipated such assault strategies and constructed defenses that make them unimaginable, at the least within the kind described by Expel. Had the focused Okta MFA course of adopted FIDO necessities, the login would have failed for at the least two causes.
First, the system offering the hybrid type of authentication must be bodily shut sufficient to the attacker system logging in for the 2 to attach over Bluetooth. Opposite to what Expel stated, this isn’t an “an extra safety function.” It’s obligatory. With out it, the authentication will fail.
Second, the problem the hybrid system must signal can be certain to the area of the pretend web site (right here okta[.]login-request[.]com) and never the real Okta.com area. Even when the hybrid system was in shut proximity to the attacker system, the authentication would nonetheless fail, for the reason that URLs don’t match.
What Expel appears to have encountered is an assault that downgraded FIDO MFA with some weaker MFA kind. Very seemingly, this weaker authentication was much like these used to log in to a Netflix or YouTube account on a TV with a cellphone. Assuming this was the case, the one who administered the group’s Okta login web page would have needed to intentionally select to permit this fallback to a weaker type of MFA. As such, the assault is extra precisely categorised as a FIDO downgrade assault, not a bypass.
