Okta: Fixed a critical security vulnerability that allowed usernames longer than 52 characters to bypass login verification

ChainCatcher news, identity and access management software provider Okta officially stated that on October 30, 2024, an internal vulnerability was discovered in the AD/LDAP DelAuth when generating cached keys. The Bcrypt algorithm is used to generate cached keys, where we hash the combination string of userId + username + password. Under specific conditions, this can allow users to authenticate simply by providing a previously successfully authenticated stored cached key to the username.

The prerequisite for this vulnerability is that the username must be equal to or exceed 52 characters each time a cached key is generated for the user. The affected products and versions are Okta AD/LDAP DelAuth as of July 23, 2024, and this vulnerability has been resolved in Okta's production environment on October 30, 2024.