• Vulnerable U
  • Posts
  • Okta Fixes Odd Bug That Allowed Any Password to Be Accepted

Okta Fixes Odd Bug That Allowed Any Password to Be Accepted

The flaw required a username of 52 characters or more

Computers are weird, and software is even weirder, something that was proven true once again yesterday when Okta announced that it had fixed an odd vulnerability in its AD/LDAP Delegated Authentication feature that in some very specific cases meant that Okta would accept any password if the username provided was 52 characters or longer. The vulnerability is related to a quirk in the Bcrypt hash algorithm and Okta addressed the issue by switching to the PBKDF256 algorithm. 

Why It Matters: Okta is one of the more popular and widely deployed identity providers and an attacker who was able to exploit this would have been able to authenticate with just the username. Enterprises that have an Okta deployment may have been at risk since the end of July. 

Key Details:

  • Okta identified the vulnerability internally on Oct. 30 and resolved it the same day

  • The bug was apparently present since July 23, and Okta said that any company that had a username of 52 characters or more between then and Oct. 30 should check its logs for signs of exploitation.

  • In order for the vulnerability to be present, the username must be 52 characters or more at the time that a cache key is generated for the user’s account.

“On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate by only providing the username with the stored cache key of a previous successful authentication,” the Okta advisory says. 

“The vulnerability can be exploited if the agent is down and cannot be reached OR there is high traffic. This will result in the DelAuth hitting the cache first.”

The Big Picture: This vulnerability is bad, but only under some highly specific circumstances, which are probably unlikely to be present in most enterprises. Usernames of 52 characters are not exactly standard procedure, but the fact that it was discovered and disclosed means that it was present in some situations. Now that it’s public, attackers are likely to take notice.

<iframe src="https://embeds.beehiiv.com/a6407365-5497-4de1-b83b-acb60b1ae802" data-test-id="beehiiv-embed" width="100%" height="320" frameborder="0" style="border-radius: 4px; border: 2px solid #e5e7eb; margin: 0; background-color: transparent;"></iframe>