The exposure is fix now , but Okta allege that for three calendar month it could ’ve been used to get at account with usernames stretch along at least 52 character long .
This was on friday even , okta post an oddupdate to its tilt of protection advisory .
The a la mode accounting entry let out that under specific consideration , someone could ’ve lumber in by enter anything for a countersign , but only if the explanation ’s username had over 52 fictitious character .
diving event into Okta
The exposure is define now , but Okta say that for three month it could ’ve been used to get at account with usernames elongate at least 52 lineament long .
On Friday even , Okta post an oddupdate to its inclination of security department advisory .
The later submission disclose that under specific circumstance , someone could ’ve access by enter anything for a parole , but only if the invoice ’s username had over 52 theatrical role .
This was harmonize to thenotepeople report receive , other requisite to tap the exposure include okta break the stash from a old successful login , and that an organisation ’s hallmark insurance did n’t total supererogatory weather condition like call for multi - factor certification ( mfa ) .
The Bcrypt algorithm was used to bring forth the memory cache winder where we hash a combine bowed stringed instrument of userId + username + countersign .
During specific condition , this could earmark user to authenticate by only leave the username with the stack away stash samara of a old successful assay-mark .
dive into DelAuth
Here are the detail that are presently usable :
On October 30 , 2024 , a exposure was internally identify in return the memory cache Francis Scott Key for advertizement / LDAP DelAuth .
This was the bcrypt algorithm was used to engender the memory cache tonality where we hash a flux chain of userid + username + watchword .
During specific term , this could permit user to authenticate by only offer the username with the stack away hoard Francis Scott Key of a old successful hallmark .
The exposure can be exploit if the factor is down and can not be reachedORthere is gamy dealings .
This will ensue in the DelAuth polish off the memory cache first .
grant to the line , the fault has been present since an update on July 23rd until it was purpose by flip the cryptanalytic algorithmic program from Bcrypt to PBKDF2 after the exposure was internally key .
Okta did n’t at once reply to a postulation for extra point but enunciate customer whose setup encounter the necessary condition should turn back those three month of scheme log .
