Okta Red Team Hack: Cloud Admin Group Vulnerability Exposed! #shorts

Just an example of the complexity. This was from a recent red team thing that we did. This one we handed the red team guy a laptop and gave him an account in our environment. Said, "See what you can do." And they found that there was an Octa admin group called This has been redacted. There wasn't actually one called cloud admin. But there was There was an admin group called Let's call it cloud admin. And there didn't exist a Google group with the same exact name. So, they created a Google group called cloud admin, which creates an email address with that with the company name, all that automatically. That synchronizes all the settings over to Octa. Octa says, "Oh, there's a new

group created. I'm going to create an Octa group, so everything stays synchronized with the exact same name as the admin group." Because Octa's cool, kind of, and they let you have multiple groups with the exact same name. I don't know why, but you can have multiple groups that are called the same thing, but they have a different ID. And so now they go and log They add their user to that group, and there are certain applications in the environment where instead of using the group ID, they use the group name. Great. Now they're in.