CVE-2024-10327

Name of the Vulnerable Software and Affected Versions Okta Verify for iOS versions 9.25.1 (beta) through 9.27.0 (including beta)

Description A vulnerability in Okta Verify for iOS allows push notification responses through the iOS ContextExtension feature, enabling authentication to proceed regardless of the user's selection. This issue affects users who enrolled in Okta Verify while the Okta customer was using Okta Classic, regardless of whether the organization has since upgraded to Okta Identity Engine. The vulnerable flows include scenarios where a user interacts with a notification on a locked screen, home screen, or through an Apple Watch, and both options for reply allow the authentication to succeed.

Recommendations For Okta Verify for iOS versions 9.25.1 (beta) through 9.27.0 (including beta), consider disabling the use of the ContextExtension feature until a patch is available. Restrict access to push notifications to minimize the risk of exploitation. Avoid using the affected flows, such as replying to notifications from a locked screen, home screen, or Apple Watch, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.