Access management giant Okta has disclosed a bizarre vulnerability that could have allowed users to access accounts without a password.
On October 30th, Okta, a cloud-based identity and access management platform, discovered a vulnerability that affected user authentication.
The most bizarre part of the disclosure was that if the username was exceptionally long – at least 52 characters – no password was needed to access the account.
Okta generates the cache key using the Bcrypt password hashing algorithm. This key is created by hashing a user ID, username, and password.
It was discovered that, under certain conditions, users could log in without a password by simply providing their username if the cached key from a previous successful login session was still stored.
The vulnerability was patched the same day, and the company stated that it only affected the product version Okta AD/LDAP DelAuth as of July 23rd, 2024.
In the security advisory on the company’s website, first spotted by Davey Winder, a hacker and senior contributor for Forbes, Okta urges customers to check their Okta System Log for any logins with usernames greater than 52 characters between July 23rd, 2024, and October 30th, 2024
Okta also recommends implementing multi-factor authentication (MFA).
While having a username of more than 52 characters does not seem to be a very common practice among users, it still raises security concerns, as the company has been extensively targeted.
In May, the company issued a warning about malicious actors targeting its Customer Identity Cloud (CIC) with credential-stuffing attacks. Last November, Okta experienced a data breach in its support system, with attackers stealing data from all Okta customer support users.
Headquartered in San Francisco, the American company has around 6,000 employees globally and nearly 20,000 customers, including the US Department of Justice, JetBlue, Zoom, T-Mobile, Hewlett Packard, and others
Your email address will not be published. Required fields are markedmarked