1 min read

Bypassing Okta SSO=> HTTPS/HTTP

Bypassing Okta SSO=> HTTPS/HTTP


When doing recon on Yahoo assets during Hackerone AWC 2023, I found a host foo.bar.yahoo.com. I thought it must be some internal tool for engineers, few pages are listed but clicking on any of the pages redirects to Okta SSO. I found a bug during black box testing, http instead of https bypassed the Okta and the host was accessible.

Reproduction Steps:

  1. Check the hostname foo.bar.yahoo.com on the wayback machine.
  2. Found an indexed page: https://foo.bar.yahoo.com/page1/endpoint/
  3. Go to this page and it redirects to Okta SSO.
  4. Probe for https and http both ports with httpx .
  5. http://foo.bar.yahoo.com/page1/endpoint also got in results.
  6. Content-Length of both pages https and http were different.
  7. Go to http://foo.bar.yahoo.com/page/endpoint and the whole page was directly accessible.

The host is showing adtraffic. I tried to google these terms, ended up reporting to the team directly since the terms and results were out of my brain's scope.


  1. 14 March 2023 - Reported to Yahoo Team (via HackerOne)
  2. 15 March 2023 - Status changed to Pending Program Review by HackerOne
  3. 18 March 2023 - Triaged by Yahoo Staff
  4. 7th April 2023 - Rewarded
  5. 3rd May 2023 - Resolved

Causes of this finding:

I'm still curious to know how it worked. There are a few guesses I made on the reasons why it could have happened. I am still not sure why it worked this way.

  1. Access port 80 instead of port 443 and bypass Okta?
  2. Server misconfiguration while setting up SSL.

Future work: Research the cause by setting up Okta locally.

Happy Hacking!!