Main Vulnerability Database SB2024102566

SB2024102566 - Multifactor authentication bypass in Okta Verify for iOS

Published: October 25, 2024

Security Bulletin ID SB2024102566

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security features bypass (CVE-ID: CVE-2024-10327)

The vulnerability allows a remote attacker to bypass multifactor authentication.

The vulnerability exists due to the application allows push notification responses through the iOS ContextExtension feature, which leads to the victim confirming the authentication request regardless of the option selection. When a user long-presses the notification banner and selects an option, both options allow the authentication to succeed. A remote attacker with knowledge of the victim's password (or with ability to perform password spraying attack) can bypass second factor authentication and gain unauthorized access to the application protected with Okta Verify.

Remediation

Install update from vendor's website.

References

https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327