Okta vulnerability allowed accounts with prolonged usernames to log in and not using a password

In a clean safety advisory, Okta has printed that its machine had a vulnerability that allowed folks to log into an account and not using a have to present the faithful password. Okta bypassed password authentication if the account had a username that had 52 or more characters. Extra, its machine had to detect a “saved cache key” of a old a success authentication, that means the account’s owner had to acquire old history of logging in the employ of that browser. It additionally did no longer acquire an label on organizations that require multi-factor authentication, in step with the be taught the firm despatched to its users.

Easy, a 52-character username is less advanced to bet than a random password — it would possibly perhaps perhaps well perhaps perhaps be as easy as a individual’s email take care of that has their plump title along with their group’s web web site area. The firm has admitted that the vulnerability was presented as phase of a frail update that went out on July 23, 2024 and that it handiest stumbled on (and fastened) the topic on October 30. It be now advising customers who meet the total vulnerability’s stipulations to appear at their acquire entry to log in some unspecified time in the future of the final few months.

Okta provides utility that makes it easy for corporations to add authentication products and services to their utility. For organizations with a pair of apps, it provides users acquire entry to to a single, unified log-in so they keep no longer have to study their identities for each utility. The firm did no longer allege whether or no longer it’s acutely conscious of someone who’s been plagued by this tell topic, nonetheless it and not using a doubt promised to “talk more like a flash with customers” previously after the threat community Lapsus$ accessed just a few users’ accounts.