CVE-2024-10327 Overview
A critical authentication bypass vulnerability has been identified in Okta Verify for iOS that allows push notification responses through the iOS ContextExtension feature to succeed regardless of the user's actual selection. When a user long-presses the notification banner and selects an option, both "Approve" and "Deny" options result in successful authentication, effectively bypassing the intended multi-factor authentication protection.
This vulnerability affects specific versions of Okta Verify for iOS and represents a significant security risk for organizations relying on Okta's push notification mechanism for multi-factor authentication.
Critical Impact
Attackers who have compromised user credentials can bypass MFA protection, as denying push notifications does not prevent authentication success.
Affected Products
- Okta Verify for iOS version 9.25.1 (beta)
- Okta Verify for iOS version 9.27.0 (including beta)
- Users enrolled in Okta Verify while using Okta Classic (including those who have since upgraded to Okta Identity Engine)
Discovery Timeline
- October 24, 2024 - CVE-2024-10327 published to NVD
- October 25, 2024 - Last updated in NVD database
Technical Details for CVE-2024-10327
Vulnerability Analysis
This vulnerability is classified as CWE-287 (Improper Authentication) and affects the iOS ContextExtension feature within Okta Verify's push notification handling mechanism. The flaw occurs in the notification response processing logic, where the application fails to properly differentiate between approval and denial responses when using specific notification interaction methods.
The vulnerable flows include scenarios where users interact with notifications from a locked screen without unlocking the device, drag notifications down on the home screen to respond, or use an Apple Watch to reply directly to notifications. In all these cases, the underlying authentication request proceeds successfully regardless of whether the user selected "Approve" or "Deny."
A critical pre-condition for exploitation is that the affected user must have originally enrolled in Okta Verify while their organization was using Okta Classic infrastructure. This applies even if the organization has since migrated to Okta Identity Engine.
Root Cause
The root cause lies in improper handling of user responses within the iOS ContextExtension notification framework. The Okta Verify application fails to correctly propagate the user's denial selection to the authentication backend when notifications are handled through the ContextExtension pathway. This results in both positive and negative user responses being interpreted as authentication approvals.
Attack Vector
This vulnerability requires network access and user interaction to exploit. An attacker who has already obtained a victim's primary credentials (username and password) can initiate an authentication attempt, triggering a push notification to the victim's device. Even if the victim denies the authentication request through one of the vulnerable notification interaction methods, the authentication will succeed, granting the attacker access to the protected account.
The attack is particularly dangerous because:
- The victim believes they have successfully blocked the unauthorized access attempt
- No additional alerts or warnings are generated
- The attacker gains full authenticated access despite the explicit denial
The vulnerability mechanism involves the iOS ContextExtension improperly processing the user's response selection. When a notification is interacted with via the vulnerable pathways (locked screen response, drag-down notification, or Apple Watch), the denial action fails to properly communicate with Okta's authentication servers, resulting in default approval behavior. For detailed technical information, refer to the Okta Security Advisory.
Detection Methods for CVE-2024-10327
Indicators of Compromise
- Successful authentication events that occur shortly after a user reports denying an MFA push notification
- Multiple consecutive push notification requests followed by successful logins from unusual geographic locations
- Authentication success logs from devices where the user claims to have rejected the request
- Unusual login patterns from accounts that use iOS devices with Okta Verify
Detection Strategies
- Monitor Okta System Log for authentication events and correlate with user-reported MFA denials
- Implement alerting for successful authentications from new locations or devices immediately following MFA push events
- Review authentication logs for iOS clients using Okta Verify versions 9.25.1 and 9.27.0
- Enable and review detailed MFA event logging to track push notification responses
Monitoring Recommendations
- Deploy SentinelOne Singularity Identity to monitor for anomalous authentication patterns and detect potential MFA bypass attempts
- Configure Okta to log detailed push notification response events for forensic analysis
- Establish baseline user authentication behavior to detect deviations indicative of credential compromise with MFA bypass
- Implement real-time alerting for authentication success events that match suspicious patterns
How to Mitigate CVE-2024-10327
Immediate Actions Required
- Update Okta Verify for iOS to the latest patched version immediately
- Notify users of affected iOS devices to update their Okta Verify application
- Audit authentication logs for any suspicious activity during the period vulnerable versions were in use
- Consider temporarily requiring additional authentication factors for high-risk users until patches are deployed
Patch Information
Okta has released security patches to address this vulnerability. Organizations should ensure all iOS devices running Okta Verify are updated to versions newer than 9.27.0. For detailed patch information and release notes, see the Okta Verify Release Notes and the Okta Security Advisory.
Workarounds
- Instruct users to unlock their devices before responding to Okta Verify push notifications
- Disable Apple Watch notifications for Okta Verify until the update is applied
- Require users to open the Okta Verify app directly to respond to authentication requests rather than using notification shortcuts
- Consider implementing number matching or biometric verification challenges as additional verification steps
For enterprise environments, mobile device management (MDM) solutions can be configured to enforce minimum app versions:
# Example MDM policy configuration for enforcing minimum Okta Verify version
# Consult your MDM vendor documentation for specific implementation
# Block authentication from vulnerable Okta Verify versions
# Configure Okta Admin Console -> Security -> Device Trust policies
# Set minimum iOS app version requirement above 9.27.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
