Okta published a surprising update to its security advisories disclosing a critical vulnerability that potentially allowed unauthorized logins.
Under specific circumstances, an attacker could have accessed an account by entering any password, provided the username exceeded 52 characters.
The flaw, first identified on October 30, 2024, exploited how Okta’s cache handled authentication attempts in AD/LDAP DelAuth environments. For the vulnerability to be triggered, Okta must rely on cached login data from a previous successful attempt. Additionally, organizations with more relaxed authentication policies—such as those not enforcing multi-factor authentication (MFA)—were more susceptible.
Here are the details that are currently available:
On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate by only providing the username with the stored cache key of a previous successful authentication.
The vulnerability can be exploited if the agent is down and cannot be reached OR there is high traffic. This will result in the DelAuth hitting the cache first.
Okta allowing login bypass for any usernames with 52+ characters is insane
— Kinnaird McQuade 💻☁️💥 (@kmcquade3) November 1, 2024
Official Security Advisory: https://t.co/3b4v30q53z pic.twitter.com/yD8FkgwSgs
The vulnerability had been active since an update on July 23, 2024, until Okta patched it by switching from Bcrypt to PBKDF2. Okta advises customers with affected configurations to review logs from the past three months to check for any unauthorized access attempts.
