Okta vulnerability allowed accounts with long usernames to log in without a password
In a brand new safety advisory, Okta has revealed that its system had a vulnerability that allowed folks to log into an account with out having to offer the proper password. Okta bypassed password authentication if the account had a username that had 52 or extra characters. Additional, its system needed to detect a “saved cache key” of a earlier profitable authentication, which implies the account’s proprietor needed to have earlier historical past of logging in utilizing that browser. It additionally did not have an effect on organizations that require multi-factor authentication, in line with the discover the corporate despatched to its customers.
Nonetheless, a 52-character username is less complicated to guess than a random password — it may very well be so simple as an individual’s e mail tackle that has their full title together with their group’s web site area. The corporate has admitted that the vulnerability was launched as a part of an ordinary replace that went out on July 23, 2024 and that it solely found (and stuck) the difficulty on October 30. It is now advising prospects who meet all the vulnerability’s situations to test their entry log over the previous few months.
Okta supplies software program that makes it straightforward for corporations so as to add authentication providers to their utility. For organizations with a number of apps, it provides customers entry to a single, unified log-in so they do not need to confirm their identities for every utility. The corporate did not say whether or not it is conscious of anyone who’s been affected by this particular difficulty, but it surely promised to “talk extra quickly with prospects” prior to now after the risk group Lapsus$ accessed a few customers’ accounts.