An Okta Login Bug Bypassed Password Checks on Some Long Usernames
Short summary:
Okta has fixed a login vulnerability that allowed unauthorized access to accounts with usernames longer than 52 characters. This bug existed for three months and could have been exploited by entering any password.
Okta has disclosed a now-fixed vulnerability that, under specific conditions, allowed unauthorized account access by entering any password, provided the username was over 52 characters long. The issue, present from July 23 to October 30, 2024, involved a flaw in the caching process for AD/LDAP Delegated Authentication (DelAuth). Exploitation required Okta to rely on cached login data from a previous successful authentication, with no additional security measures like multi-factor authentication (MFA) in place.
The vulnerability arose from using the Bcrypt algorithm to generate cache keys based on userId, username, and password. If the authentication agent was down or traffic was high, DelAuth would default to the cache, potentially granting access with just the stored username. Okta resolved the issue by switching to the PBKDF2 cryptographic algorithm and advised affected customers to review system logs from the past three months.
This incident highlights the importance of robust authentication policies and underscores the risks associated with relying on cached credentials without additional security layers. Customers are encouraged to implement MFA and review their system configurations to prevent similar vulnerabilities in the future.