Okta login bug vulnerability affecting long usernames

Okta Login Bug: Password Bypass for Long Usernames

On October 30, 2024, a significant vulnerability was identified within the authentication process of AD/LDAP DelAuth. This issue centers on the method used to generate the cache key, which leverages the Bcrypt algorithm to hash a concatenated string of userId, username, and password. Under certain conditions, this vulnerability could allow users to authenticate solely by supplying their username alongside a previously stored cache key from a successful authentication.

Understanding the Vulnerability

This vulnerability becomes particularly problematic when two specific scenarios occur:

  • The agent is down: If the authentication agent cannot be reached, the DelAuth process defaults to cache.
  • High traffic conditions: During periods of high traffic, the DelAuth may also prioritize accessing the cache.

In these cases, the DelAuth process checks the cache first, which can lead to unauthorized access if the conditions are ripe for exploitation.

Implications of Exploiting the Vulnerability

The ramifications of exploiting this vulnerability could be serious. Attackers who understand the cache mechanism could gain access to systems or credentials without full authentication requirements, thereby compromising sensitive information.

Mitigation Strategies

To mitigate this vulnerability, it is crucial to:

  1. Review and update cache handling procedures to ensure robust authentication checks.
  2. Implement rate limiting to reduce the likelihood of high traffic situations impacting authentication.
  3. Ensure that fallback mechanisms do not rely solely on cache for authentication.

Continued observance and response to vulnerabilities like this one are essential in maintaining secure authentication practices in systems utilizing AD/LDAP DelAuth.

Back to blog