Okta login vulnerability skipped password checks

Image source: AI generated

Okta, one of the most widely used providers of a single-sign-on service, or SSO, recently revealed a major security flaw that was fixed at the end of October. The vulnerability affected any account with a username 52 characters or longer. At that length, the service would simply skip the password check.

Daniel Fuller, Published 11/07/2024 🇫🇷 🇪🇸 ...

Security

Okta, one of the world's leading providers of single sign on service and identity management, revealed at the end of October that the company had fixed a bug in its service that caused a potentially serious security threat. Essentially, the bug skipped password checking for any account with a username longer than 52 characters. Bad actors could potentially get into these accounts just by entering the correct username, even if the password they provided was wrong or even absent. This, of course, assumes that a password is the only protection on the account in question.

The bug was introduced in an update that rolled out near the end of July 2024, and was noticed and fixed about three months later. The bug was not widely reported, and took a while to notice and nail down. The vast majority of usernames for any login portal tend to be under 52 characters, though some, such as those that include somebody's first and last name as well as their company email domain, may bust that limit. The vulnerability relied on multi-factor authentication not being enabled, and on the luck of the draw; logins in this case got authenticated by a cache of the encrypted key from a previous successful login. This meant that if the login attempt hit the main Okta authentication server before the cache could be loaded, it had the chance to be caught and stopped.

The relatively narrow set of circumstances that would allow this exploit to be used meant that its potential to cause chaos was not great, but the fact that this happened to a firm like Okta is telling. Security risks abound in many forms in today's digital world, and as such, the company warned all users, affected or not, to set up multi-factor authentication alongside any existing protections they had in place. Many login services require users to set up some kind of secondary authorization as a condition of creating and verifying their new account, making a potentially disastrous exploit like this one little more than a cautionary tale for the average user.

Source(s)

UFD Tech | Okta

Cybercriminals try to lure Spotify users to fraudulent websites via misleading playlists and spam podcasts. (Image source: Pexels / Anete Lusina)

Scam links detected on Spotify, users should be cautious 11/22/2024

A bug in iOS 18 caused iPhones and iPads to read passwords out loud. (Image source: Apple / Apple Developer)

VoiceOver in iOS 18 exposes passwords, leading to data security concerns 10/07/2024

Critical Windows security vulnerability allows attackers full control over IPv6 - apply August patch now. (Image source: AI-generated, Dall-E 3)

Critical Windows security vulnerability allows attackers full control over IPv6 in CVE-2024-38063 threat - apply August patches now 08/15/2024

The Sinkclose vulnerability affects AMD processors dating back to 2006. (Image source: Krzysztof Hepner via Unsplash)

'Sinkclose' vulnerability discovered in post-2006 AMD chips could pose a critical threat to data security 08/11/2024

The path of attack (Image Source: SafeBreach)

Old is new: Windows vulnerability allows undetectable downgrade attacks 08/08/2024

The largest password compilation ever was recently published. (Image via coolist.com)

Almost 10 billion passwords leaked in largest password compilation ever 07/07/2024

Microsoft rolls out passkey authentication for consumer accounts to replace passwords. (Source: AI generated by Dall-E 3)

Microsoft joins Apple and Google rolling out passkeys support to consumer accounts for passwordless logins 05/06/2024

The newly discovered vulnerability is causing concern in the Linux community (image: generated with Dall-E 3).

New Linux kernel vulnerability grants attackers root privileges 04/12/2024

Loading Comments

Comment on this article

Intel Arc Battlemage desktop GPUs c...

Leak reveals Samsung's Galaxy Ring ...

Daniel Fuller - Tech Writer - 27 articles published on Notebookcheck since 2024

Daniel is a lifelong Florida man that loves to share his passion for tech with his four kids. He spent four years as a tech journalist, and spent much longer than that freelancing. His love of tech started with Mega Man on the NES at the ripe old age of two. That snowballed into building PCs, modding game consoles, rooting smartphones, and hopping Linux distros. He's also a certified Android addict and ThinkPad junkie, but is generally fascinated by anything with a power supply. He works a day job at a theme park, and in his spare time, enjoys gaming, watching anime, practicing martial arts, and writing books and songs.

Please share our article, every link counts!