Authentication tokens are not tangible tokens, of course. However, if these digital IDs are not routinely expired or restricted to a single device, they may be worth millions of dollars in the hands of threat actors.
Authentication tokens ( commonly called "session tokens") play a vital role in cybersecurity. They encapsulate login authorization data, allowing for app validations and safe, authenticated logins to networks, SaaS applications, cloud computing, and identity provider (IdP) systems, as well as single sign-on (SSO) enabling ubiquitous corporate system access. This means that everyone holding a token has a gold key to company systems without having to complete a multifactor authentication (MFA) challenge.
Drawbacks of employee convenience
The lifetime of a token is frequently used to achieve a balance between security and employee convenience, allowing users to authenticate once and maintain persistent access to applications for a set period of time. The attackers are increasingly obtaining these tokens through adversary-in-the-middle (AitM) attacks, in which the hacker is positioned between the user and legitimate applications to steal credentials or tokens, as well as pass-the-cookie attacks, which steal session cookies stored on browsers.
Personal devices comprise browser caches as well, but they are not subject to the same level of security as corporate systems. Threat actors can simply capture tokens from inadequately secured personal devices, making them more vulnerable. However, personal devices are frequently granted access to corporate SaaS apps, posing a risk to corporate networks.
Once a threat actor secures a token, they get access to the user's rights and authorizations. If they have an IdP token, they can use the SSO features of all business applications that are integrated with the IdP without the need for an MFA challenge. If it is an admin-level credential with accompanying privileges, they have the ability to destroy systems, data, and backups. The longer the token remains active, the more they can access, steal, and damage. Furthermore, they can create new accounts that do not require the token for persisted network access.
While frequent expiration of session tokens will not prevent these types of assaults, it will significantly reduce the risk footprint by limiting the window of opportunity for a token to work. Unfortunately, we often notice that tokens are not being expired at regular intervals, and some breach reports indicate that default token expirations are being purposely extended.
Token attacks in the spotlight
Last year, multiple breaches involving stolen authentication tokens made headlines. Two incidents involved hacked IdP tokens. According to Okta, threat actors were in their systems from September 28 to October 17 as a result of a compromised personal Gmail account. A saved password from the Gmail account was synchronised in the Chrome browser, granting access to a service account, most likely without MFA enforcement.
Once inside the service account, threat actors were able to obtain additional customer session tokens from ServiceNow's HAR files. The hack ultimately impacted all Okta customer support users.
Notably, on November 23, 2023, Cloudflare discovered a threat actor attacking its systems via session tokens obtained from the Okta hack. This suggests that these session tokens did not expire 30 to 60 days after the Okta breach – not as a usual course of business, and not in response to the breach.
In September 2023, Microsoft also announced that threat actors had gotten a consumer signing key from a Windows crash dump. They then exploited it to attack Exchange and Active Directory accounts by exploiting an undisclosed flaw that allowed business systems to accept session tokens signed with the consumer's signing key. This resulted in the theft of 60,000 US State Department emails. This hack may not have had the same impact if tokens had been more aggressively expired (or pinned).