An Okta login bug bypassed checking passwords on some long usernames

Share via:


Illustration of a password above an open combination lock, implying a data breach.
Illustration by Cath Virginia / The Verge | Photo from Getty Images

On Friday evening, Okta posted an odd update to its list of security advisories. The latest entry reveals that under specific circumstances, someone could’ve logged in by entering anything for a password, but only if the account’s username had over 52 characters.

According to the note people reported receiving, other requirements to exploit the vulnerability included Okta checking the cache from a previous successful login, and that an organization’s authentication policy didn’t add extra conditions like requiring multi-factor authentication (MFA).

Here are the details that are currently available:

On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate by only providing the username with the stored cache key of a previous successful authentication.

The vulnerability can be exploited if the agent is down and cannot be reached OR there is high traffic. This will result in the DelAuth hitting the cache first.

According to the note, the flaw has been present since an update on July 23rd until it was resolved by switching the cryptographic algorithm from Bcrypt to PBKDF2 after the vulnerability was internally identified. Okta didn’t immediately respond to a request for additional details but says customers whose setups meet the necessary conditions should check those three months of system logs.





Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

An Okta login bug bypassed checking passwords on some long usernames


Illustration of a password above an open combination lock, implying a data breach.
Illustration by Cath Virginia / The Verge | Photo from Getty Images

On Friday evening, Okta posted an odd update to its list of security advisories. The latest entry reveals that under specific circumstances, someone could’ve logged in by entering anything for a password, but only if the account’s username had over 52 characters.

According to the note people reported receiving, other requirements to exploit the vulnerability included Okta checking the cache from a previous successful login, and that an organization’s authentication policy didn’t add extra conditions like requiring multi-factor authentication (MFA).

Here are the details that are currently available:

On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate by only providing the username with the stored cache key of a previous successful authentication.

The vulnerability can be exploited if the agent is down and cannot be reached OR there is high traffic. This will result in the DelAuth hitting the cache first.

According to the note, the flaw has been present since an update on July 23rd until it was resolved by switching the cryptographic algorithm from Bcrypt to PBKDF2 after the vulnerability was internally identified. Okta didn’t immediately respond to a request for additional details but says customers whose setups meet the necessary conditions should check those three months of system logs.





Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

Now, Ola Electric’s CMO & CTPO Quit

SUMMARY CMO Anshul Khandelwal and CTPO Suvonil Chatterjee cited...

DPIIT Partners boAt To Foster D2C, Manufacturing Startups

SUMMARY DPIIT has signed a pact with boAt to...

Top 5 Bitcoin critics unfazed by $100K BTC milestone

Even with Bitcoin surging past $100,000 for the...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!