Okta fixes a rather embarrassing, but very serious, password flaw

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

Okta has fixed a concerning security vulnerability which could have allowed cybercriminals to log into people’s accounts simply by creating a long username.

In a security advisory, the identity management firm said it inadvertently introduced a bug in its product in July 2024 which allowed people with usernames longer than 52 characters to log in without providing the right password.

“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication,” the security advisory reads.

Multiple conditions

Having a username of 52 characters or longer is just one of the conditions, the company noted, as users would also need to have Okta AD/LDAP delegated authentication, not apply MFA, and would need to have been previously authenticated, creating a cache of the authentication.

“The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic,” the advisory concluded.

So far, there is no evidence that the vulnerability was abused by anyone, and while it may sound like a stretch, exploiting it might actually be quite easy, as users could have their email addresses and their organization’s website domain as their username, making guessing the username a simple thing.

As a result, Okta is now warning its users to go through the logs for any suspicious logins.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.