A vulnerability in Okta’s authentication service recently allowed users with usernames of 52 characters or more to log in with any password.
This flaw specifically impacted Okta’s AD/LDAP Delegated Authentication (DelAuth) system, which many organizations rely on for secure user authentication. Fortunately, the vulnerability has now been patched.
Okta’s official notice explained that the issue stemmed from the Bcrypt algorithm used for cache key generation. This algorithm inadvertently permitted password checks to be bypassed when long usernames were involved.
To fix this issue, Okta switched to a more secure algorithm known as PBKDF2, which has effectively resolved the vulnerability.
In light of the flaw, Okta is advising organizations to review their login logs. This measure can help detect any unauthorized access that may have occurred since the flaw’s initial discovery in July.