Particle.news
Get it on Google Play
Download on the App Store
4 ARTICLES
·
last yr.

Okta Security Flaw Allowed Login Without Password for Long Usernames

A vulnerability in Okta's authentication system permitted access to accounts with usernames over 52 characters without needing a password for three months.

Overview

  • Okta discovered a security vulnerability in its system that allowed login without a password for usernames with 52 or more characters.
  • The flaw was active from July 23, 2024, until it was fixed on October 30, 2024, after an internal discovery.
  • The issue was linked to cache key generation using the Bcrypt algorithm, which was replaced by PBKDF2 to resolve the problem.
  • Accounts were vulnerable only if a previous successful login's cache was present and multi-factor authentication wasn't required.
  • Okta advises affected customers to review their access logs from the period when the vulnerability was active.