Okta, one of the most widely used providers of single sign-on services, or SSO, recently disclosed a major security vulnerability that was patched in late October. The flaw affected all accounts whose username was 52 characters or more. At this length, the service simply skipped password verification.
Okta, a leading global provider of single sign-on and identity management services, revealed in late October that it had fixed a bug in its service that caused a potentially serious security threat. security threat. Essentially, the bug skipped password verification for any account whose username was longer than 52 characters. Bad actors could potentially gain access to these accounts by simply entering the correct username, even if the password they provided was wrong or even missing. Of course, this assumes that a password is the only protection for the account in question.
The bug was introduced in an update released near the end of July 2024, and was noticed and fixed around three months later. It was not widely reported, and it took a while to notice and resolve. The vast majority of usernames for any login portal tend to be shorter than 52 characters, although some, such as those that include a person’s first and last name as well as their company email domain, may exceed this limit. The vulnerability relies on multi-factor authentication not being enabled and the luck of the draw; in this case, connections are authenticated by a cache of the encrypted key from a previous successful connection. This means that if the login attempt reaches Okta’s main authentication server before the cache is loaded, it has a chance of being detected and stopped.
The relatively small set of circumstances allowing the use of this exploit meant that its potential for chaos wasn’t very high, but the fact that this happened to a company like Okta is telling. Security risks are numerous in today’s digital world, and that’s why the company has warned all users, affected or not, to implement multi-factor authentication in addition to any existing protections. Many login services require users to set up some sort of secondary permission as a condition of creating and verifying their new account, making a potentially disastrous exploit like this little more just a warning for the average user.
Translator: Ninh Ngoc Duy – Editorial Assistant – 454464 articles published on Notebookcheck since 2008
Please share our article, every link counts!
