393/67 Wednesday, November 6, 2024
Okta, a leading technology company in Identity and Access Management (IAM), has patched a critical vulnerability in Okta Verify for Windows that could potentially allow attackers to steal user passwords. This vulnerability was discovered during routine penetration testing and affects Okta Verify Agent versions 5.0.2 to 5.3.2 on Windows. It has been assigned the vulnerability identifier CVE-2024-9191 and relates to the Okta Device Access feature.
The vulnerability enables attackers with access to a compromised device to retrieve passwords associated with users’ passwordless login through OktaDeviceAccessPipe. However, the vulnerability only impacts users who utilize Okta Device Access without a password. Users on other platforms or those using only the FastPass feature in Okta Verify are unaffected.
Okta resolved this vulnerability in version 5.3.3 of the Verify Agent for Windows and advises affected customers to update to the latest version promptly to mitigate risk. The vulnerability was initially identified on April 17, 2024, in version 5.0.2, and Okta released an Early Access version with a fix on September 20, 2024, followed by a general release on October 25, 2024.
Source https://cybersecuritynews.com/okta-verify-agent-windows-flaw/