An Okta login bug bypassed checking passwords on some long usernames

3 weeks ago 14

/

The vulnerability is fixed now, but Okta said that for 3 months it could’ve been utilized to entree accounts with usernames stretching astatine slightest 52 characters long.

By Richard Lawler, a elder exertion pursuing quality crossed tech, culture, policy, and entertainment. He joined The Verge successful 2021 aft respective years covering quality astatine Engadget.

Nov 2, 2024, 2:00 AM UTC

Illustration of a password supra an unfastened operation lock, implying a information breach.

Illustration by Cath Virginia / The Verge | Photo from Getty Images

On Friday evening, Okta posted an unusual update to its database of information advisories. The latest introduction reveals that nether circumstantial circumstances, idiosyncratic could’ve logged successful by entering thing for a password, but lone if the account’s username had implicit 52 characters.

According to the note people reported receiving, different requirements to exploit the vulnerability included Okta checking the cache from a erstwhile palmy login, and that an organization’s authentication argumentation didn’t adhd other conditions similar requiring multi-factor authentication (MFA).

Here are the details that are presently available:

On October 30, 2024, a vulnerability was internally identified successful generating the cache cardinal for AD/LDAP DelAuth. The Bcrypt algorithm was utilized to make the cache cardinal wherever we hash a combined drawstring of userId + username + password. During circumstantial conditions, this could let users to authenticate by lone providing the username with the stored cache cardinal of a erstwhile palmy authentication.

The vulnerability tin beryllium exploited if the cause is down and cannot beryllium reached OR there is precocious traffic. This volition effect successful the DelAuth hitting the cache first.

According to the note, the flaw has been contiguous since an update connected July 23rd until it was resolved by switching the cryptographic algorithm from Bcrypt to PBKDF2 aft the vulnerability was internally identified. Okta didn’t instantly respond to a petition for further details but says customers whose setups conscionable the indispensable conditions should cheque those 3 months of strategy logs.

Read Entire Article
  1. Homepage
  2. News
  3. An Okta login bug bypassed checking passwords on some long usernames

Related

Conservationists turn to AI in battle to save red squirrels

Conservationists turn to AI in battle to save red squirrels

1 hour ago 1
Total Wireless Black Friday Deals: Get 4 Free Phones

Total Wireless Black Friday Deals: Get 4 Free Phones

1 hour ago 1
Visible Promo Code: Up to $240 Off Plans

Visible Promo Code: Up to $240 Off Plans

1 hour ago 1

Trending

1. Cher
2. Premier League
3. Bucks
4. Kylie Kelce
5. Celtics
6. Duke basketball
7. Warriors vs Pelicans
8. Khalid
9. Michigan State football
10. Scott Bessent

Popular

Netflix’s latest game is a mobile take on Minesweeper

Netflix’s latest game is a mobile take on Minesweeper

4 months ago 516
The Hotter It Gets, the Harder It Is to Find Your Words

The Hotter It Gets, the Harder It Is to Find Your Words

5 months ago 286
House of the Dragon Returns With Grief, Fire, and Fury

House of the Dragon Returns With Grief, Fire, and Fury

5 months ago 264
Amazon-Powered AI Cameras Used to Detect Emotions of Unwitting UK Train Passengers

Amazon-Powered AI Cameras Used to Detect Emotions of Unwitti...

5 months ago 235
How Nvidia Surpassed Microsoft And Apple To Become World's Most Valuable Company

How Nvidia Surpassed Microsoft And Apple To Become World's M...

5 months ago 230
English (US) English (US) ·
About Us · Contact Us · Terms & Conditions · privacy policy ·

© Tech Hour 2024. All rights are reserved