Okta fixes serious security vulnerability: Usernames longer than 52 characters can bypass login verification

Bitget App

Trade smarter

Cointime2024/11/02 12:44

By:Cointime

23pds, the Chief Information Security Officer of SlowMist, posted that Okta allows login bypass for any username over 52 characters! According to the announcement by Okta, an identity and access management software provider, a vulnerability was discovered on October 30th when generating cache keys for AD/LDAP DelAuth internally. The Bcrypt algorithm is used to generate cache keys, where we hash the combination string of userId + username + password. Under certain conditions, this can allow users to authenticate only by providing previously successfully authenticated stored cache keys to the username.

The premise of this vulnerability is that the username must equal or exceed 52 characters each time a cache key is generated for the user. The affected products and versions are Okta AD/LDAP DelAuth up to July 23, 2024, and the vulnerability was resolved in Okta's production environment on October 30, 2024.

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.

APR up to 10%. Always on, always get airdrop.

Lock now!

Share link:In this post: On November 1, Judge Katherine Polk Failla rescheduled the next Storm’s trial to April 14, 2025. Storm’s defense has challenged the court’s trial postponement, going as far as filing a mandamus petition with the U.S. Court of Appeals for the Second Circuit. Roman Storm is charged with three counts: conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business.

Cryptopolitan•2024/11/02 15:22

Popular Convenience Store ‘Sheetz’ Starts Accepting Crypto

Cryptotimes•2024/11/02 14:55