Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://federate.social/users/jik/statuses/113254401736343618">Jonathan Kamens (jik@federate.social)'s status on Saturday, 05-Oct-2024 21:59:20 JST</a><a href="https://federate.social/@jik" title="jik@federate.social"><img src="https://gnusocial.jp/avatar/112846-48-20230416171343.webp" width="48" height="48" alt="Jonathan Kamens" style="position: absolute; left: 0; top: 0;">Jonathan Kamens</a></section><article><p>I'm a tad bit annoyed by <a href="https://federate.social/tags/infosec" rel="tag">#infosec</a> professionals referring to the <a href="https://federate.social/tags/Okta" rel="tag">#Okta</a> bug that was just announced as an "authentication" bypass or vulnerability when it is, rather, an *authorization* issue.<br>Authz bypasses are bad, but dramatically less bad than authn bypasses, because the size of the population able to take advantage of them is much smaller and typically more trusted.<br>Getting the terminology right matters.<br>Ref: <a href="https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/" rel="nofollow noreferrer">https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3777881#notice-7393483">In conversation</a><time datetime="2024-10-05T21:59:20+09:00" title="Saturday, 05-Oct-2024 21:59:20 JST">about 2 months ago</time> <span>from <span><a href="https://federate.social/@jik/113254401736343618" rel="external" title="Sent from federate.social via ActivityPub">federate.social</a></span></span><a href="https://federate.social/@jik/113254401736343618">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/">Okta Classic Application Sign-On Policy Bypass</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Jonathan Kamens (jik@federate.social)'s status on Saturday, 05-Oct-2024 21:59:20 JST Jonathan Kamens
I'm a tad bit annoyed by #infosec professionals referring to the #Okta bug that was just announced as an "authentication" bypass or vulnerability when it is, rather, an *authorization* issue.
Authz bypasses are bad, but dramatically less bad than authn bypasses, because the size of the population able to take advantage of them is much smaller and typically more trusted.
Getting the terminology right matters.
Ref: https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/
In conversationabout 2 months ago from federate.socialpermalink
Attachments
1. No result found on File_thumbnail lookup.
  Okta Classic Application Sign-On Policy Bypass

Public

Embed Notice

HTML Code

Corresponding Notice