Okta has fixed a concerning information vulnerability which could person allowed cybercriminals to log into people’s accounts simply by creating a agelong username.
In a security advisory, nan identity management patient said it inadvertently introduced a bug successful its merchandise successful July 2024 which allowed group pinch usernames longer than 52 characters to log successful without providing nan correct password.
“On October 30, 2024, a vulnerability was internally identified successful generating nan cache cardinal for AD/LDAP DelAuth. The Bcrypt algorithm was utilized to make nan cache cardinal wherever we hash a mixed drawstring of userId + username + password. Under a circumstantial group of conditions, listed below, this could let users to authenticate by providing nan username pinch nan stored cache cardinal of a erstwhile successful authentication,” nan information advisory reads.
Multiple conditions
Having a username of 52 characters aliases longer is conscionable 1 of nan conditions, nan institution noted, arsenic users would besides request to person Okta AD/LDAP delegated authentication, not use MFA, and would request to person been antecedently authenticated, creating a cache of nan authentication.
“The cache was utilized first, which tin hap if nan AD/LDAP supplier was down aliases cannot beryllium reached, for example, owed to precocious web traffic,” nan advisory concluded.
So far, location is nary grounds that nan vulnerability was abused by anyone, and while it whitethorn sound for illustration a stretch, exploiting it mightiness really beryllium rather easy, arsenic users could person their email addresses and their organization’s website domain arsenic their username, making guessing nan username a elemental thing.
As a result, Okta is now informing its users to spell done nan logs for immoderate suspicious logins.
More from TechRadar Pro
- Okta warns users to beryllium alert of damaging cyberattacks targeting customers
- Here's a database of nan best firewalls today
- These are nan best endpoint protection tools correct now