1. Forum
  2. TQWNet
  3. TQW GENTECH

  • Okta fixes a rather embarrassing, but very serious, password flaw

    From TechnologyDaily@1337:1/100 to All on Monday, November 04, 2024 12:30:05
    Okta fixes a rather embarrassing, but very serious, password flaw

    Date:
    Mon, 04 Nov 2024 12:28:00 +0000

    Description:
    Creating a super-long username allowed Okta users to login without a password.

    FULL STORY ======================================================================

    Okta has fixed a concerning security vulnerability which could have allowed cybercriminals to log into peoples accounts simply by creating a long username.

    In a security advisory , the identity management firm said it inadvertently introduced a bug in its product in July 2024 which allowed people with usernames longer than 52 characters to log in without providing the right password.

    On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username +
    password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of
    a previous successful authentication, the security advisory reads. Multiple conditions

    Having a username of 52 characters or longer is just one of the conditions, the company noted, as users would also need to have Okta AD/LDAP delegated authentication, not apply MFA , and would need to have been previously authenticated, creating a cache of the authentication.

    The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic, the advisory concluded.

    So far, there is no evidence that the vulnerability was abused by anyone, and while it may sound like a stretch, exploiting it might actually be quite
    easy, as users could have their email addresses and their organizations website domain as their username, making guessing the username a simple
    thing.

    As a result, Okta is now warning its users to go through the logs for any suspicious logins. More from TechRadar Pro Okta warns users to be aware of damaging cyberattacks targeting customers Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/okta-fixes-a-rather-embarrassing-but-ve ry-serious-password-flaw


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)