Okta fixes a rather embarrassing, but very serious, password flaw

Trending 2 weeks ago
Shadowed hands connected a integer inheritance reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

Okta has fixed a concerning information vulnerability which could person allowed cybercriminals to log into people’s accounts simply by creating a agelong username.

In a security advisory, nan identity management patient said it inadvertently introduced a bug successful its merchandise successful July 2024 which allowed group pinch usernames longer than 52 characters to log successful without providing nan correct password.

“On October 30, 2024, a vulnerability was internally identified successful generating nan cache cardinal for AD/LDAP DelAuth. The Bcrypt algorithm was utilized to make nan cache cardinal wherever we hash a mixed drawstring of userId + username + password. Under a circumstantial group of conditions, listed below, this could let users to authenticate by providing nan username pinch nan stored cache cardinal of a erstwhile successful authentication,” nan information advisory reads.

Multiple conditions

Having a username of 52 characters aliases longer is conscionable 1 of nan conditions, nan institution noted, arsenic users would besides request to person Okta AD/LDAP delegated authentication, not use MFA, and would request to person been antecedently authenticated, creating a cache of nan authentication.

“The cache was utilized first, which tin hap if nan AD/LDAP supplier was down aliases cannot beryllium reached, for example, owed to precocious web traffic,” nan advisory concluded.

So far, location is nary grounds that nan vulnerability was abused by anyone, and while it whitethorn sound for illustration a stretch, exploiting it mightiness really beryllium rather easy, arsenic users could person their email addresses and their organization’s website domain arsenic their username, making guessing nan username a elemental thing.

As a result, Okta is now informing its users to spell done nan logs for immoderate suspicious logins.

Sign up to nan TechRadar Pro newsletter to get each nan apical news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

  • Okta warns users to beryllium alert of damaging cyberattacks targeting customers
  • Here's a database of nan best firewalls today
  • These are nan best endpoint protection tools correct now

Sead is simply a seasoned freelance journalist based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.

More
Source Technology
Technology