HITB-Invoice-Logo

thank you for joining us!

Getting Clear Text Passwords from an IdP & More: Our Research Methodology

Date

August 26, 2022

Time

17:00

Track

CommSec Track

We’ve recently reported several methods to achieve several privilege escalation in Okta by getting the clear text of any employee, including super-admins + other methods to impersonate super-admins and users by admins of org units, or outsource companies. These issues were dubbed #PassBleed, and were classified by Okta as inherent operational risks of their platform.

This talk will present the research process that led to the discovery of these non-vulnerabilities. We will share our internal research methodology based on using knowledge graphs for trust analysis and explain it through showing how we used it to discover these major weaknesses. Our methodology is useful to:

1. Automate vulnerability discovery
2. Enable research team collaboration
3. Visualize & Prioritize

The talk will include some technical details such as basic Matrix math, a bit of Python code, and a (single) raw JSON data dump. A small code example will probably be open-sourced a few days after the talk.

Speakers

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Other Talks in This Track

LOCATION

CommSec Track

DATE

August 26

TIME

10:30

LOCATION

CommSec Track

DATE

August 26

TIME

11:30

LOCATION

CommSec Track

DATE

August 26

TIME

12:00