advertisement
X-twitter Facebook Instagram Linkedin Youtube Spotify
Facebook
X
LinkedIn
WhatsApp
Reddit

Okta had a bizarre vulnerability it has already fixed

  • A routine update in July introduced an odd vulnerability for Okta.
  • The company says that under a specific set of circumstances, a user with a 52-character username could log in without a password.
  • The vulnerability was fixed on 30th October.

Last week access management company Okta whose clients include HP Enterprise, Zoom, jetBlue and others, reported it had fixed one of the more bizarre issues we’ve heard of.

On 30th October the company identified a bug which would appear under a very specific set of circumstances in Okta AD/LDAP DelAuth. If those criteria were met, a user wouldn’t need to input a password in order to be authenticated.

The criteria that needed to be met was:

  • Okta AD/LDAP delegated authentication is used
  • MFA [multi-factor authentication] is not applied
  • The username is 52 characters or longer
  • The user previously authenticated creating a cache of the authentication
  • The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic

The headline that has been grabbing attention is that if a user’s username was 52 characters long attackers could log into their account without a password. As we see above however, there was more to it than simply keying in a long user name. Granted, the fact that logging in would be as easy as inputting a username if the above criteria was met sure is terrible.

However, the fact that if that criteria was met a user could bypass the need for a password is nonetheless concerning and so the vulnerability has now been addressed. Okta says that the vulnerability was introduced as part of a standard release in July.

“Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024,” the company wrote.

“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password, Okta explained.

The company says that it has switched from a Bcrypt cryptographic algorithm to PBKDF2 to correct the issue.

With a lack of MFA listed as one of the criteria of this vulnerability, the company has urged its customers to implement MFA at a minimum.

“We also strongly encourage customers to enroll users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all applications,” Okta added.

advertisement

About Author

More
Picture of Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.

Related News

What Google said about the Competition Commission’s MDPMI

Cassava gives AI firm access to its collection of GPUs

Don’t travel without considering this new Bolt feature

Diversification has been key to Vodacom’s success

Why the SABC can’t produce fresh content

Acer South Africa prioritises local assembly of commercial monitors

advertisement
Facebook Instagram Linkedin Youtube Spotify
Hypertext is one of South Africa’s leading technology news and reviews sites. We publish original content daily for consumers and businesses.
All original words & media by Hypertext by htxt.media are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Hypertext. Where images and material are supplied by rights holders outside of htxt.media, original publishing licences are indicated and unaffected.
Click here to suggest a story.
Click here for advertising.

© 2025. All rights reserved by HTXT.