Introduction:
A critical vulnerability, CVE-2024-10327, has been discovered in Okta Verify for iOS (versions 9.25.1 and 9.27.0). This flaw allows successful authentication regardless of the user’s push notification response, compromising the security of push-based MFA and potentially enabling unauthorized access. If not addressed quickly, this vulnerability could expose your organization to significant security risks.
Who is Affected?
This issue affects users who enrolled under Okta Classic Engine, even if they’ve since upgraded to Okta Identity Engine. Tenants created directly on OIE are not impacted.
Technical Details:
The vulnerability is rooted in iOS’s ContextExtension feature, affecting the following scenarios:
- Locked screen: Users can respond to push notifications without unlocking the device, bypassing standard authentication.
- Home screen: Users can swipe down the notification banner to approve or deny authentication without full security checks.
- Apple Watch: Users can directly respond to a push notification without the usual MFA safeguards.
The issue arises when users long-press on push notifications and select either the “Yes” or “No” options, which both erroneously allow the authentication to succeed. Based on the CVSS 3.1 system, the vulnerability has been assigned a high severity score of 8.1, reflecting its potential impact on confidentiality and integrity.
How to Address the Vulnerability:
To protect against this flaw, immediately update to Okta Verify version 9.27.2 or higher. IT administrators should enforce updates using MDM/MAM solutions and ensure end-users update the app from the Apple App Store. Users can download the latest version here.
Conclusion:
Resolving this vulnerability is essential to maintaining your organization’s security. Promptly updating your devices will prevent potential exploitation. For more information, refer to the official Okta Security Advisory and the National Vulnerability Database.
Take Action: Okta Health Check
Is your Okta environment fully optimized for security? Alchemy’s Okta Health Check comprehensively reviews your setup, ensuring it aligns with industry best practices. Our consultants will assess your configuration, identify risks, and offer tailored recommendations to secure your data and strengthen business operations. Don’t leave your identity infrastructure vulnerable—schedule your Okta Health Check today and maintain a resilient security posture.
Book your Health Check now.
