Okta fixes serious security vulnerability: Usernames longer than 52 characters can bypass login verification
23pds, the Chief Information Security Officer of SlowMist, posted that Okta allows login bypass for any username over 52 characters! According to the announcement by Okta, an identity and access management software provider, a vulnerability was discovered on October 30th when generating cache keys for AD/LDAP DelAuth internally. The Bcrypt algorithm is used to generate cache keys, where we hash the combination string of userId + username + password. Under certain conditions, this can allow users to authenticate only by providing previously successfully authenticated stored cache keys to the username.
The premise of this vulnerability is that the username must equal or exceed 52 characters each time a cache key is generated for the user. The affected products and versions are Okta AD/LDAP DelAuth up to July 23, 2024, and the vulnerability was resolved in Okta's production environment on October 30, 2024.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
AAVE breaks above $140
Solana Sees Resurgence in Institutional Investment and User Growth in Q3 2024
Here’s How Much Bitcoin Trump’s VP Pick JD Vance Owns
Bitcoin ETF Inflows Pause as U.S. Election Uncertainty Rises
Trending news
MoreCrypto prices
More
