Okta fixes a rather embarrassing, but very serious, password flaw
For some usernames, a password was not necessary
Okta has fixed a concerning security vulnerability which could have allowed cybercriminals to log into people’s accounts simply by creating a long username.
In a security advisory, the identity management firm said it inadvertently introduced a bug in its product in July 2024 which allowed people with usernames longer than 52 characters to log in without providing the right password.
“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication,” the security advisory reads.
Multiple conditions
Having a username of 52 characters or longer is just one of the conditions, the company noted, as users would also need to have Okta AD/LDAP delegated authentication, not apply MFA, and would need to have been previously authenticated, creating a cache of the authentication.
“The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic,” the advisory concluded.
So far, there is no evidence that the vulnerability was abused by anyone, and while it may sound like a stretch, exploiting it might actually be quite easy, as users could have their email addresses and their organization’s website domain as their username, making guessing the username a simple thing.
As a result, Okta is now warning its users to go through the logs for any suspicious logins.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Okta warns users to be aware of damaging cyberattacks targeting customers
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.