Okta vulnerability allowed accounts with lengthy usernames to log in and not using a password

In a brand new safety advisory, Okta has revealed that its system had a vulnerability that allowed individuals to log into an account with out having to offer the right password. Okta bypassed password authentication if the account had a username that had 52 or extra characters. Additional, its system needed to detect a “saved cache key” of a earlier profitable authentication, which suggests the account’s proprietor needed to have earlier historical past of logging in utilizing that browser. It additionally did not have an effect on organizations that require multi-factor authentication, in accordance with the notice the company sent to its users.

Nonetheless, a 52-character username is less complicated to guess than a random password — it might be so simple as an individual’s e-mail handle that has their full title together with their group’s web site area. The corporate has admitted that the vulnerability was launched as a part of a regular replace that went out on July 23, 2024 and that it solely found (and glued) the problem on October 30. It is now advising clients who meet all the vulnerability’s circumstances to examine their entry log over the previous few months.

Okta offers software program that makes it simple for corporations so as to add authentication companies to their software. For organizations with a number of apps, it offers customers entry to a single, unified log-in so they do not need to confirm their identities for every software. The corporate did not say whether or not it is conscious of anyone who’s been affected by this particular challenge, however it promised to “talk extra quickly with clients” previously after the menace group Lapsus$ accessed a few customers’ accounts.