Okta: Fixed a serious security vulnerability that allowed usernames longer than 52 characters to bypass login verification

Odaily News Okta, an identity and access management software provider, officially announced that on October 30, 2024, a vulnerability was discovered internally in the generation of cache keys for AD/LDAP DelAuth. The Bcrypt algorithm is used to generate cache keys, in which we hash the combined string of userId + username + password. Under certain conditions, this can allow users to authenticate by simply providing a stored cache key from a previous successful authentication to the username. The premise of this vulnerability is that each time a cache key is generated for a user, the username must be equal to or longer than 52 characters. The affected products and versions are Okta AD/LDAP DelAuth as of July 23, 2024, and the vulnerability was resolved in Okta's production environment on October 30, 2024.