DevTestSecOps
#hack #Okta again!? https://sec.okta.com/harfiles
#hack #way
A good example of a suspected security breach report from !#1password
They suspected that something was going on in their #Okta account, i.e. all sorts of internal admin and helpdesk stuff.
A member of the IT team handled Okta support and, at their request, created a HAR file from Chrome Dev Tools and uploaded it to the Okta support portal. This HAR file contains a record of all traffic between the browser and Okta's servers, including sensitive information including session cookies. In the early morning hours of Friday, September 29, an unknown attacker used the same Okta session used to create the HAR file to access the Okta administration portal and attempted the following:
- Attempted to access an IT employee's user dashboard, but the attempt was blocked by the Okta system.
- Updated the existing IDP tied to our Google production environment.
- Activated the IDP.
- Requested an admin user report.
The last action on this list resulted in an alert email being sent to a member of the IT team, which of course resulted in a quick response.
More details:
https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
A good example of a suspected security breach report from !#1password
They suspected that something was going on in their #Okta account, i.e. all sorts of internal admin and helpdesk stuff.
A member of the IT team handled Okta support and, at their request, created a HAR file from Chrome Dev Tools and uploaded it to the Okta support portal. This HAR file contains a record of all traffic between the browser and Okta's servers, including sensitive information including session cookies. In the early morning hours of Friday, September 29, an unknown attacker used the same Okta session used to create the HAR file to access the Okta administration portal and attempted the following:
- Attempted to access an IT employee's user dashboard, but the attempt was blocked by the Okta system.
- Updated the existing IDP tied to our Google production environment.
- Activated the IDP.
- Requested an admin user report.
The last action on this list resulted in an alert email being sent to a member of the IT team, which of course resulted in a quick response.
More details:
https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
👏2🤔2