The Okta Browser Plugin, utilized by over 5 million users across popular browsers such as Chrome, Edge, Safari, and Firefox, has been found to contain a critical Cross-Site Scripting (XSS) vulnerability. This flaw, tracked as CVE-2024-0981 and rated with a severity score of 7.1 (High), allows attackers to execute arbitrary JavaScript code within the plugin. The vulnerability is triggered when users enter new credentials and the plugin prompts them to save these credentials with Okta Personal, potentially exposing sensitive information to cybercriminals.
The affected versions of the Okta Browser Plugin are from 6.5.0 through 6.31.0. The issue primarily impacts users who have integrated Okta Personal into their browser plugin for multi-account views. It is important to note that Workforce Identity Cloud users are not affected unless Okta Personal is being used in conjunction with their browser plugin. Recognizing the severity of the issue, Okta has acted quickly by issuing a security advisory and releasing an update that fixes the vulnerability in version 6.32.0.
For Okta administrators, a specific query is available to help identify users still operating on outdated plugin versions. This query enables admins to locate users who have not yet upgraded to the secure version, facilitating a smoother transition to the latest update. The Okta Browser Plugin is integral for many users, offering a range of features such as automatic sign-ins, password generation, and secure multi-account switching. Given the plugin’s extensive use and the nature of the vulnerability, addressing this security flaw is critical to maintaining user safety and data integrity.
Users are strongly urged to upgrade to the latest version of the Okta Browser Plugin, 6.32.0, to safeguard against potential attacks exploiting this XSS vulnerability. Okta’s prompt response in providing a fix highlights the importance of swift action in addressing security vulnerabilities. As cyber threats continue to evolve, ensuring that security measures are up-to-date is essential for protecting sensitive data and maintaining the reliability of online services.
Reference:
