[ethbr1]

>> It appears that in our case, the threat-actor was able to hijack a session token from a support ticket which was created by a Cloudflare employee.

It's the same type of session replay attack (likely HAR) discussed in the original article, no?

It seems a reasonable expectation to assume that anything sent to Okta support isn't instantly available to attackers.

So, yes, valid session tokens were dumb. But also yes, Okta fucked up here too.

[4death4]

> It seems a reasonable expectation to assume that anything sent to Okta support isn't instantly available to attackers.

No that’s not a reasonable assumption. Malicious Okta employee is just as significant an attack vector as compromised Okta support tool.

[ethbr1]

'Malicious Okta employee' who already has privileged access in the systems the customer has chosen to outsource their auth to?

If Okta employee is a high priority threat model... then the customer is better off not using Okta.

Not that it shouldn't be considered, but if Okta top-to-bottom penetration is expected and accepted, then that's taking Zero Trust to a whole new length.