Okta has fixed a concerning security vulnerability which could have allowed cybercriminals to log into people’s accounts simply by creating a long username.
In a security advisory, the identity management firm said it inadvertently introduced a bug in its product in July 2024 which allowed people with usernames longer than 52 characters to log in without providing the right password.
“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication,” the security advisory reads.
Multiple conditions
Having a username of 52 characters or longer is just one of the conditions, the company noted, as users would also need to have Okta AD/LDAP delegated authentication, not apply MFA, and would need to have been previously authenticated, creating a cache of the authentication.
“The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic,” the advisory concluded.
So far, there is no evidence that the vulnerability was abused by anyone, and while it may sound like a stretch, exploiting it might actually be quite easy, as users could have their email addresses and their organization’s website domain as their username, making guessing the username a simple thing.
As a result, Okta is now warning its users to go through the logs for any suspicious logins.